Secure Project

To customize user authentication and authorization define two classes and one interface. Create and place classes in their resp. packages.

• The class User.java which implements the Spring-Security interface UserDetails.
• The class UserControllerImpl.java implements the Spring-Security interface UserDetailsService and the interface UserController.java.

• The implementation of the UserController interface uses a data access object UserDaoImpl.java to save and retrieve the User data.
• The data access object is set using the interface UserDao.java and dependeny injection.

Place the login and logout JSF-pages login.xhtml and logout.xhtml in the WebContent directory. Recall that .xhtml is the default suffix for JSF pages (defined in web.xml) and that the suffix .jsf is used to refer to a JSF page.

The Welcome page index.jsp defined in the web.xml deployment descriptor is a simple redirect to the home page of the application.

Alert Be careful that any redirect actually initializes a page request since otherwise the spring security filter cannot prevent unathorized access!

• Start mysql server and create database test. Update username and password in applicationContext-DataSource.xml unless the mySQL user is root with the empty password.
• Undo changes, if any and deploy to server, see section Deploy project on page Create Project.

Page request to the URL http://localhost:8080/BMCBookcase/pages/somepage.jsf are redirected to the login page, unless the user is logged in.

Login in with username test and password test. Logout with page request http://localhost:8080/BMCBookcase/logout.jsf.

Much of the above code is from http://www.minitech.org/blog/maven-spring-security-hibernate.html.

For a nice (and short) guide to Spring Security see http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/

See also the blog by Dimitar Makariev showing (among others) how to deploy a secured app to the Google Application Engine.