Contacts

The Contacts Sample is quite an advanced example in that it illustrates the more powerful features of domain object access control lists in addition to basic application security.

To deploy, simply copy the WAR file from Spring Security distribution into your container’s webapps directory. The war should be called spring-security-samples-contacts-2.0.0.war (the appended version number will vary depending on what release you are using).

After starting your container, check the application can load. Visit http://localhost:8080/contacts (or whichever URL is appropriate for your web container and the WAR you deployed).

Next, click "Debug". You will be prompted to authenticate, and a series of usernames and passwords are suggested on that page. Simply authenticate with any of these and view the resulting page. It should contain a success message similar to the following:


        Authentication object is of type: org.springframework.security.providers.UsernamePasswordAuthenticationToken
        
        Authentication object as a String: 
          org.springframework.security.providers.UsernamePasswordAuthenticationToken@1f127853: 
          Principal: org.springframework.security.userdetails.User@b07ed00: 
          Username: rod; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; 
          credentialsNonExpired: true; AccountNonLocked: true; 
          Granted Authorities: ROLE_SUPERVISOR, ROLE_USER; Password: [PROTECTED]; Authenticated: true; 
          Details: org.springframework.security.ui.WebAuthenticationDetails@0: 
          RemoteIpAddress: 127.0.0.1; SessionId: k5qypsawgpwb; 
          Granted Authorities: ROLE_SUPERVISOR, ROLE_USER
        
        Authentication object holds the following granted authorities:
        
        ROLE_SUPERVISOR (getAuthority(): ROLE_SUPERVISOR)
        ROLE_USER (getAuthority(): ROLE_USER)
        
        SUCCESS! Your web filters appear to be properly configured!        
    

Once you successfully receive the above message, return to the sample application's home page and click "Manage". You can then try out the application. Notice that only the contacts available to the currently logged on user are displayed, and only users with ROLE_SUPERVISOR are granted access to delete their contacts. Behind the scenes, the MethodSecurityInterceptor is securing the business objects.

The application allows you to modify the access control lists associated with different contacts. Be sure to give this a try and understand how it works by reviewing the application context XML files.