Monday, June 6, 2011

Authentication Checking using SpringMVC Interceptors

For many web applications, some URLs need to protect from public access and some other URLs need to be protected based on the User Roles and privileges. To achieve this we can use Filters that comes with Servlet API or we can use JAAS(Java Authentication and Authorization Service).

SpringMVC provides Interceptors which can be used to intercept the URL and pre-process, post-process the requests.

Let us write a simple AuthenticationInterceptor to check whether the user is already logged in or not. If the User is already logged into the system we will let him continue otherwise we will redirect him to login page.


AuthenticationInterceptor .java

package com.sivalabs.web.controllers;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import com.sivalabs.entities.User;

@Component
public class AuthenticationInterceptor extends HandlerInterceptorAdapter
{
 @Override
 public boolean preHandle(HttpServletRequest request,
   HttpServletResponse response, Object handler) throws Exception
 {
  String uri = request.getRequestURI();
  if(!uri.endsWith("login.do") && !uri.endsWith("logout.do"))
  {
   User userData = (User) request.getSession().getAttribute("LOGGEDIN_USER");
   if(userData == null)
   {
    response.sendRedirect("login.do");
    return false;
   }   
  }
  return true;
 }
}


LoginController.java

package com.sivalabs.web.controllers;

@Controller
public class LoginController
{
 @RequestMapping(value="/login", method=RequestMethod.POST)
    public ModelAndView login(@ModelAttribute("login")User user, 
         BindingResult result, SessionStatus status,
         HttpServletRequest request)
    {
     String viewName = "login";
     ModelAndView mav = new ModelAndView(viewName);
     loginFormValidator.validate(user, result);
        if (result.hasErrors())
        {
            return mav;
        }
        User userData = userService.login(user);
        status.setComplete();
        
        if(userData == null){
         mav.getModel().put("ERROR", "Invalid UserName and Password");
        }else{
         viewName = "welcome";
         request.getSession().setAttribute("LOGGEDIN_USER", userData);
        }
        mav.setViewName(viewName);
        return mav;
    }
}


WEB-INF/dispatcher-servlet.xml



 <context:annotation-config/> 
 <context:component-scan base-package="com.sivalabs"/>
 
 <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter"/>
 
  
    <ref bean="authenticationInterceptor"/>
  
 

 <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
  p:prefix="/WEB-INF/jsp/" p:suffix=".jsp"/>


Now if we try to access any other URLs without logging into the application it will automatically redirect to login page.
Posted by Unknown at June 06, 2011
Labels:

3 comments:

  1. KodeGangJuly 30, 2011 at 5:18 PM

    Good Articale
    http://javacircuit.blogspot.com

    ReplyDelete
  2. UnknownMay 1, 2012 at 1:39 PM

    WEB-INF/dispatcher-servlet.xml is little bit confusing..
    can u suggest where should I place

    ReplyDelete
  3. MEHUL PADSANAFebruary 1, 2013 at 2:27 PM








    What i have to do if some one remove this from serviet.xml file. Application will run without authentication.

    ReplyDelete

Subscribe to: Post Comments (Atom)