2. Spring Configuration

The security:global-method-security element configures annotation based security so @Secured can be used to restrict access to methods.

The security:http is set to auto-configure basic HTTP security. Inside the the login, logout, and main style sheet are set to the anonymous role (unrestricted access). The rest of the site is restricted to an authenticated user in the user role. The default login and logout configuration is also customized to use custom pages to maintain the sites look & feel.

The authentication is set to use jdbc based user authentication. Only the DataSource needs to be set on the security:jdbc-user-service element if the default tables are used. Although other tables can be used by setting custom queries on the element. If you look below the security:jdbc-user-service element, you will see a static configuration of users which might be more convenient for a small application or during testing.

/WEB-INF/spring/security-context.xml
                
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-2.0.xsd">

    <security:global-method-security secured-annotations="enabled" />
    
    <security:http auto-config="true">
        <!-- Restrict URLs based on role -->
        <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        
        <security:intercept-url pattern="/css/main.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        
        <security:intercept-url pattern="/**" access="ROLE_USER" />

        <!-- Override default login and logout pages -->
        <security:form-login login-page="/login.html" 
                             login-processing-url="/loginProcess" 
                             default-target-url="/index.jsp" 
                             authentication-failure-url="/login.html?login_error=1" />
        <security:logout logout-url="/logout" logout-success-url="/logoutSuccess.html" />
    </security:http>

    <security:authentication-provider>
        <security:jdbc-user-service data-source-ref="dataSource" />
        
        <!-- 
            david:newyork
            alex:newjersey
            tim:illinois
        --> 
        <!-- 
        <security:password-encoder hash="md5" />
        <security:user-service>
            <security:user name="david" password="369389d19e24204b4927e30dd7c39efc" authorities="ROLE_USER,ROLE_ADMIN" />
            <security:user name="alex" password="847c6f184197dc1545d9891d42814a7d" authorities="ROLE_USER" />
            <security:user name="tim" password="0513111ff330e25c631b5d3e9c0a4aae" authorities="ROLE_USER" />
        </security:user-service>
        -->
    </security:authentication-provider>
    
</beans>