Introduced Spring Security support.

Fixed #87

Author: php-coder

NEWS.txt

@@ -1,4 +1,5 @@
 0.2 (not released yet)
+- introduced Spring Security support
 - ported DAO layer to use Spring-Data
 - ported unit and functional tests to TestNG
 - migrated from HSQL to H2 (in test environment)

pom.xml

@@ -19,6 +19,7 @@
 		<slf4j.version>1.6.5</slf4j.version>
 		<spring.version>3.2.0.M1</spring.version>
 		<spring.data.version>1.1.0.RELEASE</spring.data.version>
+		<spring.security.version>3.1.0.RELEASE</spring.security.version>
 		<h2.version>1.3.167</h2.version>
 		<javax.validation.version>1.1.0.Alpha1</javax.validation.version>
 
@@ -112,6 +113,36 @@
 			<scope>runtime</scope>
 		</dependency>
 
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-web</artifactId>
+			<version>${spring.security.version}</version>
+		</dependency>
+		
+		<!--
+			spring-security-web 3.1.0 depends from spring-aop 3.0.6,
+			so to force application use spring-aop 3.1.1 we add this
+			dependency explicitly. May be removed when new Spring
+			Security will not depends from old version of Spring.
+		-->
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-aop</artifactId>
+			<version>${spring.version}</version>
+		</dependency>
+		
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-config</artifactId>
+			<version>${spring.security.version}</version>
+		</dependency>
+		
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-taglibs</artifactId>
+			<version>${spring.security.version}</version>
+		</dependency>
+		
 		<dependency>
 			<groupId>org.hibernate</groupId>
 			<artifactId>hibernate-core</artifactId>
@@ -132,12 +163,6 @@
 			<version>3.1</version>
 		</dependency>
 
-		<dependency>
-			<groupId>commons-codec</groupId>
-			<artifactId>commons-codec</artifactId>
-			<version>1.6</version>
-		</dependency>
-		
 		<dependency>
 			<groupId>commons-beanutils</groupId>
 			<artifactId>commons-beanutils</artifactId>

src/env/dev/WEB-INF/web.xml

@@ -12,6 +12,30 @@
 		<param-value>dev</param-value>
 	</context-param>
 
+	<context-param>
+		<param-name>contextClass</param-name>
+		<param-value>
+			org.springframework.web.context.support.AnnotationConfigWebApplicationContext
+		</param-value>
+	</context-param>
+	
+	<context-param>
+		<param-name>contextConfigLocation</param-name>
+		<param-value>
+			ru.mystamps.web.config.ApplicationContext,
+			ru.mystamps.web.config.DevDataSource
+		</param-value>
+	</context-param>
+	
+	<listener>
+		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+	</listener>
+	
+	<!-- To expose user's request to AuthenticationFailureListener where we need it for logging -->
+	<listener>
+		<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
+	</listener>
+	
 	<servlet>
 		<servlet-name>spring</servlet-name>
 		<servlet-class>
@@ -26,8 +50,7 @@
 		<init-param>
 			<param-name>contextConfigLocation</param-name>
 			<param-value>
-				ru.mystamps.web.config.DispatcherServletContext,
-				ru.mystamps.web.config.DevDataSource
+				ru.mystamps.web.config.DispatcherServletContext
 			</param-value>
 		</init-param>
 		<load-on-startup>1</load-on-startup>
@@ -71,4 +94,16 @@
 		<url-pattern>/*</url-pattern>
 	</filter-mapping>
 
+	<filter>
+		<filter-name>springSecurityFilterChain</filter-name>
+		<filter-class>
+			org.springframework.web.filter.DelegatingFilterProxy
+		</filter-class>
+	</filter>
+	
+	<filter-mapping>
+		<filter-name>springSecurityFilterChain</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+	
 </web-app>

src/env/test/WEB-INF/classes/spring/test-credentials.properties

@@ -7,9 +7,9 @@ valid_user_login = coder
 valid_user_name = Test Suite
 valid_user_password = test
 
-# Auto-calculated by SELECT SHA1(CONCAT('${salt}', '${password}'));
+# Auto-calculated by SELECT SHA1(CONCAT('${salt}', '{', '${password}', '}'));
 valid_user_password_salt = cEjinQJY3v
-valid_user_password_hash = 9a08f1a38b780eaa610e72c01db055ebee6e9d85
+valid_user_password_hash = 27e04fc489395d3167d8dd71fc47e466ee190aee
 
 # this user should always NOT exist
 invalid_user_login = test

src/env/test/WEB-INF/web.xml

@@ -12,6 +12,30 @@
 		<param-value>test</param-value>
 	</context-param>
 
+	<context-param>
+		<param-name>contextClass</param-name>
+		<param-value>
+			org.springframework.web.context.support.AnnotationConfigWebApplicationContext
+		</param-value>
+	</context-param>
+	
+	<context-param>
+		<param-name>contextConfigLocation</param-name>
+		<param-value>
+			ru.mystamps.web.config.ApplicationContext,
+			ru.mystamps.web.config.TestDataSource
+		</param-value>
+	</context-param>
+	
+	<listener>
+		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+	</listener>
+	
+	<!-- To expose user's request to AuthenticationFailureListener where we need it for logging -->
+	<listener>
+		<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
+	</listener>
+	
 	<servlet>
 		<servlet-name>spring</servlet-name>
 		<servlet-class>
@@ -26,8 +50,7 @@
 		<init-param>
 			<param-name>contextConfigLocation</param-name>
 			<param-value>
-				ru.mystamps.web.config.DispatcherServletContext,
-				ru.mystamps.web.config.TestDataSource
+				ru.mystamps.web.config.DispatcherServletContext
 			</param-value>
 		</init-param>
 		<load-on-startup>1</load-on-startup>
@@ -88,4 +111,16 @@
 		<url-pattern>/*</url-pattern>
 	</filter-mapping>
 
+	<filter>
+		<filter-name>springSecurityFilterChain</filter-name>
+		<filter-class>
+			org.springframework.web.filter.DelegatingFilterProxy
+		</filter-class>
+	</filter>
+	
+	<filter-mapping>
+		<filter-name>springSecurityFilterChain</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+	
 </web-app>

src/main/config/checkstyle-suppressions.xml

@@ -24,6 +24,5 @@
 	<suppress checks="WhitespaceAround" files="ru.mystamps.web.validation.jsr303.FieldsMismatch" />
 	<suppress checks="WhitespaceAround" files="ru.mystamps.web.validation.jsr303.UniqueCountryName" />
 	<suppress checks="WhitespaceAround" files="ru.mystamps.web.validation.jsr303.UniqueLogin" />
-	<suppress checks="WhitespaceAround" files="ru.mystamps.web.validation.jsr303.ValidCredentials" />
 
 </suppressions>

src/main/java/ru/mystamps/web/Url.java

@@ -35,10 +35,14 @@ public final class Url {
 	public static final String SUCCESSFUL_ACTIVATION_PAGE = "/successful/activation";
 
 	public static final String REGISTRATION_PAGE     = "/account/register";
+	
+	// defined at src/main/resources/spring/security.xml
 	public static final String AUTHENTICATION_PAGE   = "/account/auth";
+	public static final String LOGIN_PAGE            = "/account/login";
+	public static final String LOGOUT_PAGE           = "/account/logout";
+	
 	public static final String ACTIVATE_ACCOUNT_PAGE = "/account/activate";
 	public static final String ACTIVATE_ACCOUNT_PAGE_WITH_KEY = "/account/activate/key/{key}";
-	public static final String LOGOUT_PAGE           = "/account/logout";
 
 	public static final String ADD_SERIES_PAGE       = "/series/add";
 

src/main/java/ru/mystamps/web/controller/LogoutAccountController.java renamed to src/main/java/ru/mystamps/web/config/ApplicationContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2012 Slava Semushin <slava.semushin@gmail.com>
+ * Copyright (C) 2012 Slava Semushin <slava.semushin@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -8,33 +8,27 @@
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  */
 
-package ru.mystamps.web.controller;
+package ru.mystamps.web.config;
 
-import javax.servlet.http.HttpSession;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-
-import ru.mystamps.web.Url;
-
-@Controller
-@RequestMapping(Url.LOGOUT_PAGE)
-public class LogoutAccountController {
-	
-	@RequestMapping(method = RequestMethod.GET)
-	public String logout(final HttpSession session) {
-		session.invalidate();
-		return "redirect:" + Url.INDEX_PAGE;
-	}
-	
+@Configuration
+@Import({
+	DbConfig.class,
+	SecurityConfig.class
+})
+@ComponentScan(basePackages = {
+	"ru.mystamps.web.service"
+})
+public class ApplicationContext {
 }
-

src/main/java/ru/mystamps/web/config/DispatcherServletContext.java

@@ -22,9 +22,6 @@
 import org.springframework.context.annotation.Import;
 
 @Configuration
-@Import({
-	DbConfig.class,
-	MvcConfig.class
-})
+@Import(MvcConfig.class)
 public class DispatcherServletContext {
 }

src/main/java/ru/mystamps/web/config/MvcConfig.java

@@ -18,12 +18,15 @@
 
 package ru.mystamps.web.config;
 
+import java.util.List;
+
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.MessageSource;
 import org.springframework.context.support.ReloadableResourceBundleMessageSource;
 import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.servlet.config.annotation.DefaultServletHandlerConfigurer;
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
@@ -32,14 +35,14 @@
 import org.springframework.web.servlet.view.InternalResourceViewResolver;
 import org.springframework.web.servlet.ViewResolver;
 
+import ru.mystamps.web.support.spring.security.CustomUserDetailsArgumentResolver;
 import ru.mystamps.web.Url;
 
 @Configuration
 @EnableWebMvc
 @EnableScheduling
 @ComponentScan(basePackages = {
-	"ru.mystamps.web.controller",
-	"ru.mystamps.web.service"
+	"ru.mystamps.web.controller"
 })
 public class MvcConfig extends WebMvcConfigurerAdapter {
 
@@ -50,6 +53,7 @@ public void configureDefaultServletHandling(final DefaultServletHandlerConfigure
 
 	@Override
 	public void addViewControllers(final ViewControllerRegistry registry) {
+		registry.addViewController(Url.AUTHENTICATION_PAGE);
 		registry.addViewController(Url.INDEX_PAGE).setViewName("site/index");
 		registry.addViewController(Url.RESTORE_PASSWORD_PAGE);
 		registry.addViewController(Url.SUCCESSFUL_ACTIVATION_PAGE);
@@ -61,6 +65,11 @@ public void addResourceHandlers(final ResourceHandlerRegistry registry) {
 		registry.addResourceHandler("/static/**").addResourceLocations("/WEB-INF/static/*");
 	}
 
+	@Override
+	public void addArgumentResolvers(final List<HandlerMethodArgumentResolver> argumentResolvers) {
+		argumentResolvers.add(new CustomUserDetailsArgumentResolver());
+	}
+	
 	@Bean
 	public ViewResolver getViewResolver() {
 		final InternalResourceViewResolver viewResolver =