I'm working on a project using the Spring Web MVC framework. I was interested in learning more about Spring Security to have it manage authentication and authorization for me. This way I can avoid having to write a custom form controller to manage authentication, and coming up with some home-grown ACL strategy. I decided to try out the petclinic tutorial. It seemed like after reviewing the information that I would be able to use Spring Security in my project.
So, I repeated the steps of the tutorial on my own project. But I soon found out that the login page being displayed was not a jsp found in the petclinic project. Instead, it is generated by the Spring Security library. This won't do. I need a login page that looks like the rest of my application. So, off to Google I go...
Fortunately, I'm not the first person to have this same issue. Thanks to Peter Mularien for putting together this excellent summary of and expansion on the petclinic tutorial. The one thing I did differently in my project is that I wanted to enforce concurrent session control. This is easily accomplished by adding the following to your security:http configuration:
<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
However, I was experiencing a bad side-effect. Now once my user logged out, they could no longer log back in. After posting a question on Stack Overflow I discovered my own answer. There is another listener required in the deployment descriptor to use session control:
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>
Once again, I'm left with the feeling that Spring is great, but its lack of documentation for what I would consider to be core features is a chronic issue for me. Spring is not for the faint-hearted or easily-frustrated. One must have the intestinal fortitude to dig in and figure things out on their own...and search Google.
AJ Coon
Software Engineer - Tampa, FL
No comments:
Post a Comment