Programatic Authorization or ACL implementation with Spring security - URL based in Web applications

1.Implement org.springframework.security.userdetails.UserDetails interface and implement all the methods

public class UserProfile implements Serializable, UserDetails


2.Implement AuthenticationUserDetailsService interface
Implement method : UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException;

public class UserDetailsService implements AuthenticationUserDetailsService

<bean id="preAuthenticatedUserDetailsService"
class="com.test.common.security.service.impl.UserDetailsService">
</bean>


3.Create Authontication provider and in case of cusotm authontication use security with "custom-authentication-provider"
as below :

<bean id="preAuthenticatedAuthenticationProvider"
class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
<security:custom-authentication-provider />
<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
</bean>

4.Pass object of preAuthenticatedAuthenticationProvider interface to "ProviderManager" as property "providers" as below :

<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="preAuthenticatedAuthenticationProvider" />
</list>
</property>
</bean>

5. Create bean authenticationProcessingFilter , if needed to declare as PRE_AUTH then put entry into
security tag as below :

<!-- This bean id should not be changed -->
<bean id="authenticationProcessingFilter" scope="prototype"
class="com.test.common.security.filter.AuthProcessinglFilter">
<security:custom-filter position="PRE_AUTH_FILTER" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>

SESSION_USER_PROFILE = "UserProfile";

public class AuthProcessinglFilter extends AbstractPreAuthenticatedProcessingFilter {

@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {

return request.getSession(false).getAttribute(SESSION_USER_PROFILE);
}

@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {

UserProfile profile = (UserProfile) request.getSession(false)
.getAttribute(SESSION_USER_PROFILE);

if (profile != null) {
return profile.getCredentials();
}

return null;
}

public int getOrder() {

return FilterChainOrder.PRE_AUTH_FILTER;
}
}

6. Write following bean for sure :

<bean id="authenticationEntryPoint"
class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />

And setup ACL context if needed to apply on URL based scheme :

<!-- ACL context configuration start -->
<security:http entry-point-ref="authenticationEntryPoint"
auto-config="false" session-fixation-protection="none"
lowercase-comparisons="false" access-denied-page="/WEB-INF/jsp/error/AccessDenied.jsp">

<security:intercept-url pattern="/6/*.action" access="ROLE_ADMIN" />

<security:intercept-url pattern="/61/*.action" access="ROLE_USER" />

<security:anonymous />

</security:http>

7.Setup following Spring Security filter into web.xml

<filter>
<filter-name>SecurityFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>springSecurityFilterChain</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>