Hướng dẫn sử dụng Spring MVC Security và Spring JDBC (XML Config)
Công ty Vĩnh Cửu tuyển dụng lập trình viên Java

1- Giới thiệu

Tài liệu được viết dựa trên:
  • Eclipse 4.6 (NEON)

  • Spring MVC 4.x

  • Spring Security 4.x

  • Spring JDBC 4.x

  • (XML Config)

Trước khi bắt đầu với hướng dẫn này, bạn nên xem trước:
Spring MVC cho người mới bắt đầu:
Hướng dẫn sử dụng Spring JDBC:
Tại đây tôi hướng dẫn bạn tạo một ứng dụng web login sử dụng Spring MVC + Spring Security + Spring JDBC. Sử dụng XML để cấu hình. Bạn có thể tham khảo một tài liệu khác tương tự sử dụng Annotation cấu hình tại:

2- Demo

Xem Demo:

3- Chuẩn bị database

  • ORACLE:
-- Create table
create table USERS
(
  USERNAME VARCHAR2(36) not null,
  PASSWORD VARCHAR2(36) not null,
  ENABLED  NUMBER(1) not null
) ;

alter table USERS
  add constraint USER_PK primary key (USERNAME);

---------------------

-- Create table
create table USER_ROLES
(
  ROLE_ID   VARCHAR2(50) not null,
  USERNAME  VARCHAR2(36) not null,
  USER_ROLE VARCHAR2(30) not null
) ;
 
alter table USER_ROLES
  add constraint USER_ROLE_PK primary key (ROLE_ID);

alter table USER_ROLES
  add constraint USER_ROLE_UK unique (USERNAME, USER_ROLE);
 
-------------------------------
 
insert into users (USERNAME, PASSWORD, ENABLED)
values ('dbuser1', '12345', 1);

insert into users (USERNAME, PASSWORD, ENABLED)
values ('dbadmin1', '12345', 1);  


insert into User_Roles (ROLE_ID, USERNAME, USER_ROLE)
values ('1', 'dbuser1', 'USER');

insert into User_Roles (ROLE_ID, USERNAME, USER_ROLE)
values ('2', 'dbadmin1', 'ADMIN');

insert into User_Roles (ROLE_ID, USERNAME, USER_ROLE)
values ('3', 'dbadmin1', 'USER');

-------------------------------
Commit;
  • MySQL & SQL SERVER:
-- Create table
create table USERS
(
  USERNAME VARCHAR(36) not null,
  PASSWORD VARCHAR(36) not null,
  ENABLED  smallint not null
) ;

alter table USERS
  add constraint USER_PK primary key (USERNAME);

---------------------

-- Create table
create table USER_ROLES
(
  ROLE_ID   VARCHAR(50) not null,
  USERNAME  VARCHAR(36) not null,
  USER_ROLE VARCHAR(30) not null
) ;
 
alter table USER_ROLES
  add constraint USER_ROLE_PK primary key (ROLE_ID);

alter table USER_ROLES
  add constraint USER_ROLE_UK unique (USERNAME, USER_ROLE);
 
-------------------------------
 
insert into users (USERNAME, PASSWORD, ENABLED)
values ('dbuser1', '12345', 1);

insert into users (USERNAME, PASSWORD, ENABLED)
values ('dbadmin1', '12345', 1);  


insert into User_Roles (ROLE_ID, USERNAME, USER_ROLE)
values ('1', 'dbuser1', 'USER');

insert into User_Roles (ROLE_ID, USERNAME, USER_ROLE)
values ('2', 'dbadmin1', 'ADMIN');

insert into User_Roles (ROLE_ID, USERNAME, USER_ROLE)
values ('3', 'dbadmin1', 'USER');
 

4- Tạo Project

  • File/New/Other...
Nhập vào:
  • Group ID: org.o7planning
  • Artifact ID: SpringMVCSecurityXML
  • Package: org.o7planning.tutorial.springmvcsecurity
Project đã được tạo ra:
Bạn đừng lo lắng với thông báo lỗi khi Project vừa được tạo ra. Lý do là bạn chưa khai báo thư viện Servlet.
Eclipse 4.5 (MARS) tạo ra project Maven có thể sai cấu trúc. Bạn cần phải kiểm tra.
Xóa file index.jsp.
Using Java 7 or 8:
Project Properties:

5- Cấu hình web.xml và Maven

Configure web.xml:
 
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns="http://java.sun.com/xml/ns/javaee"
 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
          http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
 id="WebApp_ID" version="3.0">

 <display-name>Spring MVC Security</display-name>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>


    <!-- Loads Spring Security config file -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>        
            /WEB-INF/spring-security.xml,
            /WEB-INF/data-source-cfg.xml
        </param-value>
    </context-param>


    <!-- Spring MVC -->
    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        
        <servlet-class>
            org.springframework.web.servlet.DispatcherServlet
        </servlet-class>
        
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>


    <!-- Spring Security Filter -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

</web-app>
Maven:
pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
   http://maven.apache.org/maven-v4_0_0.xsd">
   
  <modelVersion>4.0.0</modelVersion>
  <groupId>org.o7planning</groupId>
  <artifactId>SpringMVCSecurityXML</artifactId>
  <packaging>war</packaging>
  <version>0.0.1-SNAPSHOT</version>
  <name>SpringMVCSecurityXML Maven Webapp</name>
  <url>http://maven.apache.org</url>




    <properties>
        <!-- Generic properties -->
        <java.version>1.7</java.version>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    </properties>


    <repositories>
        <!-- Repository for ORACLE JDBC Driver -->
        <repository>
            <id>codelds</id>
            <url>https://code.lds.org/nexus/content/groups/main-repo</url>
        </repository>
    </repositories>

    <dependencies>

        <!-- Spring framework START -->
        <!-- http://mvnrepository.com/artifact/org.springframework/spring-core -->
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-core</artifactId>
            <version>4.2.5.RELEASE</version>
        </dependency>

        <!-- http://mvnrepository.com/artifact/org.springframework/spring-web -->
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-web</artifactId>
            <version>4.2.5.RELEASE</version>
        </dependency>

        <!-- http://mvnrepository.com/artifact/org.springframework/spring-webmvc -->
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <version>4.2.5.RELEASE</version>
        </dependency>
        
        

        <!-- http://mvnrepository.com/artifact/org.springframework/spring-jdbc -->
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-jdbc</artifactId>
            <version>4.2.5.RELEASE</version>
        </dependency>

        
        <!-- Spring framework END -->


        <!-- Spring Security Artifacts - START -->
        <!-- http://mvnrepository.com/artifact/org.springframework.security/spring-security-web -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>4.0.4.RELEASE</version>
        </dependency>

        <!-- http://mvnrepository.com/artifact/org.springframework.security/spring-security-config -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>4.0.4.RELEASE</version>
        </dependency>
        <!-- Spring Security Artifacts - END -->

        <!-- Jstl for jsp page -->
        <!-- http://mvnrepository.com/artifact/javax.servlet/jstl -->
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
            <version>1.2</version>
        </dependency>

        <!-- Servlet API -->
        <!-- http://mvnrepository.com/artifact/javax.servlet/javax.servlet-api -->
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>3.1.0</version>
            <scope>provided</scope>
        </dependency>

        <!-- JSP API -->
        <!-- http://mvnrepository.com/artifact/javax.servlet.jsp/jsp-api -->
        <dependency>
            <groupId>javax.servlet.jsp</groupId>
            <artifactId>jsp-api</artifactId>
            <version>2.2</version>
            <scope>provided</scope>
        </dependency>

        <!-- MySQL JDBC driver -->
        <!-- http://mvnrepository.com/artifact/mysql/mysql-connector-java -->
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.34</version>
        </dependency>

        <!-- Oracle JDBC driver -->
        <dependency>
            <groupId>com.oracle</groupId>
            <artifactId>ojdbc6</artifactId>
            <version>11.2.0.3</version>
        </dependency>

        <!-- SQLServer JDBC driver (JTDS) -->
        <!-- http://mvnrepository.com/artifact/net.sourceforge.jtds/jtds -->
        <dependency>
            <groupId>net.sourceforge.jtds</groupId>
            <artifactId>jtds</artifactId>
            <version>1.3.1</version>
        </dependency>
        
        
    </dependencies>
    
    <build>
        <finalName>SpringMVCSecurityXML</finalName>
        <plugins>
        
            <!-- Config: Maven Tomcat Plugin -->
            <!-- http://mvnrepository.com/artifact/org.apache.tomcat.maven/tomcat7-maven-plugin -->
            <plugin>
                <groupId>org.apache.tomcat.maven</groupId>
                <artifactId>tomcat7-maven-plugin</artifactId>
                <version>2.2</version>
                <!-- Config: contextPath and Port (Default: /SpringMVCSecurityXML : 8080) -->
                <!--
                <configuration>
                    <path>/</path>
                    <port>8899</port>
                </configuration>
                -->    
            </plugin>
        </plugins>
    </build>        
    
</project>

6- Cấu hình Spring MVC & Security

Cấu hình Spring MVC:
mvc-dispatcher-servlet.xml
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:context="http://www.springframework.org/schema/context"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
      http://www.springframework.org/schema/beans    
      http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
      http://www.springframework.org/schema/context
      http://www.springframework.org/schema/context/spring-context-4.1.xsd">

  <context:component-scan base-package="org.o7planning.tutorial.springmvcsecurity.controller" />
  <context:annotation-config />

  <bean
    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="prefix">
      <value>/WEB-INF/pages/</value>
    </property>
    <property name="suffix">
      <value>.jsp</value>
    </property>
  </bean>

</beans>
Cấu hình Datasouce:
data-source-cfg.xml (For ORACLE)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
  http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">


  <bean id="myDataSource"
      class="org.springframework.jdbc.datasource.DriverManagerDataSource">

      <property name="driverClassName" value="oracle.jdbc.driver.OracleDriver" />
      <property name="url" value="jdbc:oracle:thin:@localhost:1521:db11g" />
      <property name="username" value="simplehr" />
      <property name="password" value="12345" />
  </bean>
 
 
</beans>
data-source-cfg.xml (For MYSQL)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
 
 
    <bean id="myDataSource"
        class="org.springframework.jdbc.datasource.DriverManagerDataSource">
 
       <property name="driverClassName" value="com.mysql.jdbc.Driver" />
       <property name="url" value="jdbc:mysql://localhost:3306/simplehr" />
       <property name="username" value="root" />
       <property name="password" value="12345" />
    </bean>
   
</beans>
data-source-cfg.xml (For SQL SERVER)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">


   <bean id="myDataSource"
       class="org.springframework.jdbc.datasource.DriverManagerDataSource">


      <!-- Using JDBC Driver: JTDS -->
      <property name="driverClassName" value="net.sourceforge.jtds.jdbc.Driver" />
      <property name="url"
          value="jdbc:jtds:sqlserver://localhost:1433/simplehr;instance=SQLEXPRESS" />
      <property name="username" value="sa" />
      <property name="password" value="12345" />
  </bean>

 
 
</beans>
Cấu hình Spring Security:
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
    xsi:schemaLocation="http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-4.0.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">

    
    <http use-expressions="true">
        <csrf disabled="true"/>
        
        <intercept-url pattern="/" access="permitAll()" />
        <intercept-url pattern="/welcome" access="permitAll()" />
        <intercept-url pattern="/login" access="permitAll()" />
        <intercept-url pattern="/logout" access="permitAll()" />


        <intercept-url pattern="/userInfo"
            access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
        <intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/other/**" access="isAuthenticated()" />

        <access-denied-handler error-page="/403" />

        <form-login login-page='/login' login-processing-url="/j_spring_security_check"
            default-target-url="/userInfo" always-use-default-target="false"
            authentication-failure-url="/login?error=true" username-parameter="username"
            password-parameter="password" />

        <logout logout-url="/logout" logout-success-url="/logoutSuccessful"
            delete-cookies="JSESSIONID" invalidate-session="true" />

    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user1" password="12345" authorities="ROLE_USER" />
                <user name="admin1" password="12345" authorities="ROLE_USER, ROLE_ADMIN" />
            </user-service>
        </authentication-provider>



        <!-- authentication from database -->
        <authentication-provider>
            <jdbc-user-service data-source-ref="myDataSource"
                users-by-username-query="select username,password, enabled from users where username=?"
                authorities-by-username-query="Select username, concat('ROLE_',user_role) user_role from user_roles where username=?" />
        </authentication-provider>

    </authentication-manager>

</beans:beans>
Các thuộc tính của <login-form>:
login-processing-url:
  • Sau khi người dùng nhấn Submit trên form Login nó sẽ được sử lý bởi action j_spring_security_check, đây là một action xây dựng sẵn của Spring Security.
login-page
  • URL trang login.
default-target-url:
  • Giá trị mặc đinh:
  • Trang mặc định sẽ chuyển tới sau khi  người dùng login thành công.
always-use-default-target:
  • Có giá trị true hoặc false. true nghĩa là: Luôn luôn chuyển tới trang định nghĩa bởi default-target-url sau login thành công.
login-processing-url
  • URL trang sử lý việc login.  
authentication-failure-url:
  • URL trang sẽ chuyển tới nếu việc đăng nhập thất bại
username-parameter
  • Giá trị mặc định: j_username
  • Tùy biến thuộc tính username định nghĩa trên loginPage.jsp
password-parameter
  • Giá trị mặc định: j_password
  • Tùy biến thuộc tính password định nghĩa trên loginPage.jsp

7- Spring MVC Controller

MainController.java
package org.o7planning.tutorial.springmvcsecurity.controller;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class MainController {

   @RequestMapping(value = { "/", "/welcome" }, method = RequestMethod.GET)
   public String welcomePage(Model model) {
       model.addAttribute("title", "Welcome");
       model.addAttribute("message", "This is welcome page!");
       return "welcomePage";
   }

   @RequestMapping(value = "/admin", method = RequestMethod.GET)
   public String adminPage(Model model) {
       return "adminPage";
   }

   @RequestMapping(value = "/login", method = RequestMethod.GET)
   public String loginPage(Model model ) {
       
       return "loginPage";
   }

   @RequestMapping(value = "/logoutSuccessful", method = RequestMethod.GET)
   public String logoutSuccessfulPage(Model model) {
       model.addAttribute("title", "Logout");
       return "logoutSuccessfulPage";
   }

   @RequestMapping(value = "/userInfo", method = RequestMethod.GET)
   public String userInfo(Model model, Principal principal) {

       // Sau khi user login thanh cong se co principal
       String userName = principal.getName();

       System.out.println("User Name: "+ userName);

       return "userInfoPage";
   }

   @RequestMapping(value = "/403", method = RequestMethod.GET)
   public String accessDenied(Model model, Principal principal) {
       
       if (principal != null) {
           model.addAttribute("message", "Hi " + principal.getName()
                   + "<br> You do not have permission to access this page!");
       } else {
           model.addAttribute("msg",
                   "You do not have permission to access this page!");
       }
       return "403Page";
   }
}

8- JSP Pages

_menu.jsp
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

<div style="border: 1px solid #ccc;padding:5px;margin-bottom:20px;">

  <a href="${pageContext.request.contextPath}/welcome">Home</a>

  | &nbsp;
 
   <a href="${pageContext.request.contextPath}/userInfo">User Info</a>
 
  | &nbsp;
 
  <a href="${pageContext.request.contextPath}/admin">Admin</a>
 
  <c:if test="${pageContext.request.userPrincipal.name != null}">
 
     | &nbsp;
     <a href="${pageContext.request.contextPath}/logout">Logout</a>
    
  </c:if>
 
</div>
403Page.jsp
<%@page session="false"%>
<html>
<head>
<title>Access Denied</title>
</head>
<body>
<jsp:include page="_menu.jsp"/>

    <h3 style="color:red;">${message}</h3>
</body>
</html>
adminPage.jsp
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>

<html>
<head>
<title>${title}</title>
</head>
<body>
    <jsp:include page="_menu.jsp" />

    <h2>Admin Page</h2>


    <h3>Welcome : ${pageContext.request.userPrincipal.name}</h3>

    <b>This is protected page!</b>  
</body>
</html>
loginPage.jsp
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

<html>
<head><title>Login</title></head>
<body>
   <jsp:include page="_menu.jsp" />
   
   
   <h1>Login</h1>
    
     <!-- /login?error=true -->
     <c:if test="${param.error == 'true'}">
         <div style="color:red;margin:10px 0px;">
         
                Login Failed!!!<br />
                Reason :  ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
                
         </div>
    </c:if>
      
   <h3>Enter user name and password:</h3>  
    
   <form name='f' action="${pageContext.request.contextPath}/j_spring_security_check" method='POST'>
      <table>
         <tr>
            <td>User:</td>
            <td><input type='text' name='username' value=''></td>
         </tr>
         <tr>
            <td>Password:</td>
            <td><input type='password' name='password' /></td>
         </tr>
         <tr>
            <td><input name="submit" type="submit" value="submit" /></td>
         </tr>
      </table>
  </form>
</body>
</html>
logoutSuccessfulPage.jsp
<html>
<head>
<title>Logout</title>
</head>
<body>
    <jsp:include page="_menu.jsp" />

    <h1>Logout Successful!</h1>
</body>
</html>
userInfoPage.jsp
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>

<html>
<head>
<title>User Info</title>
</head>
<body>
    <jsp:include page="_menu.jsp" />
    
    <h2>User Info Page</h2>

    <h3>Welcome : ${pageContext.request.userPrincipal.name}</h3>

    <b>This is protected page!</b>  
</body>
</html>
welcomePage.jsp
<%@page session="false"%>
<html>
<head>
<title>${title}</title>
</head>
<body>
    <jsp:include page="_menu.jsp" />


    <h1>Message : ${message}</h1>
</body>
</html>

9- Cấu hình và chạy ứng dụng

Trong lần đầu tiên, trước khi chạy ứng dụng bạn cần phải build toàn bộ project.
Nhấn phải chuột vào project chọn:
  • Run As/Maven install

Cấu hình để chạy:

Nhập vào:
  • Name: Run SpringMVCSecurityXML
  • Base directory: ${workspace_loc:/SpringMVCSecurityXML}
  • Goals: tomcat7:run
Chạy URL:
Gõ vào đường dẫn xem thông tin user, trong trường hợp bạn chưa login, website sẽ chuyển hướng tới trang login.
Nếu bạn nhập sai thông tin và Submit. Website sẽ chuyển hướng trở lại trang login. Chúng ta cần sử lý và thông báo lỗi đầy đủ sau
Trong trường hợp đăng nhập thành công:
Bạn có thể thử với đường dẫn. Đường dẫn trên chỉ cho phép user với vai trò ADMIN (ROLE_ADMIN) được quyền truy cập:

Trong trường hợp chưa login, website sẽ chuyển hướng tới trang login, nếu bạn login vào với ROLE_USER bạn sẽ nhận được thông báo cấm truy cập (Access Denied)

10- Spring MVC Shopping Cart Application

Ứng dụng bán hàng sử dụng: