To have a user in the webapp we had to put it in the session and add login and registration pages. Of course the pages that were only meant for logged-in users had to be secured as well.
Being Spring users, we naturally used Spring Security for this. We wrote a simple UserDetailsService that used a repository for looking up the users and validating their credentials. The config is located in a separate applicationContext-security.xml. But first, as always, Maven and web.xml setup.
Example 13.1. Spring Security pom.xml
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.version}</version> </dependency>
Example 13.2. Spring Security web.xml
<context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/applicationContext-security.xml /WEB-INF/applicationContext.xml </param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Example 13.3. Spring Security applicationContext-security.xml
<security:global-method-security secured-annotations="enabled"> </security:global-method-security> <security:http auto-config="true" access-denied-page="/auth/denied"> <!-- use-expressions="true" --> <security:intercept-url pattern="/admin/*" access="ROLE_ADMIN"/> <security:intercept-url pattern="/import/*" access="ROLE_ADMIN"/> <security:intercept-url pattern="/user/*" access="ROLE_USER"/> <security:intercept-url pattern="/auth/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <security:intercept-url pattern="/auth/register" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <security:form-login login-page="/auth/login" authentication-failure-url="/auth/login?login_error=true" default-target-url="/user"/> <security:logout logout-url="/auth/logout" logout-success-url="/" invalidate-session="true"/> </security:http> <security:authentication-manager> <security:authentication-provider user-service-ref="userDetailsService"> <security:password-encoder hash="md5"> <security:salt-source system-wide="cewuiqwzie"/> </security:password-encoder> </security:authentication-provider> </security:authentication-manager> <bean id="userDetailsService" class="org.neo4j.movies.service.CineastsUserDetailsService"/>
Example 13.4. UserDetailsService and UserDetails implementation
@Service public class CineastsUserDetailsService implements UserDetailsService, InitializingBean { @Autowired private UserRepository userRepository; @Override public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException, DataAccessException { final User user = findUser(login); if (user==null) throw new UsernameNotFoundException("Username not found",login); return new CineastsUserDetails(user); } public User findUser(String login) { return userRepository.findByPropertyValue("login",login); } public User getUserFromSession() { SecurityContext context = SecurityContextHolder.getContext(); Authentication authentication = context.getAuthentication(); Object principal = authentication.getPrincipal(); if (principal instanceof CineastsUserDetails) { CineastsUserDetails userDetails = (CineastsUserDetails) principal; return userDetails.getUser(); } return null; } } public class CineastsUserDetails implements UserDetails { private final User user; public CineastsUserDetails(User user) { this.user = user; } @Override public Collection<GrantedAuthority> getAuthorities() { User.Roles[] roles = user.getRoles(); if (roles ==null) return Collections.emptyList(); return Arrays.<GrantedAuthority>asList(roles); } @Override public String getPassword() { return user.getPassword(); } @Override public String getUsername() { return user.getLogin(); } ... public User getUser() { return user; } }
Any logged-in user was now available in the session, and could be used for all the social
interactions. The remaining work for this was mainly adding controller methods and JSPs
for the views. We used the helper method getUserFromSession() in the controllers
to access the logged-in user and put it in the model for rendering.
Here's what the UI had evolved to:
