xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -
->
<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven validator="validator"/>
<!-- Enable controller method level security -->
<security:global-method-security pre-post-annotations="enabled"/>
<!-- Other code omitted -->
</beans:beans>
As shown in Listing 17-63, the security namespace is added. Then, the <security:global-method-
security> tag is used to enable Spring Security's method-level security, and the pre-post-annotations
attribute enables the support of annotations.
Now we can use the @PreAuthorize annotation for the controller method we want to protect. Listing
17-64 shows an example of protecting the createForm() method.
Listing 17-64. Applying Spring Security Annotations
@PreAuthorize("isAuthenticated()")
@RequestMapping(params = "form", method = RequestMethod.GET)
public String createForm(Model uiModel) {
Contact contact = new Contact();
uiModel.addAttribute("contact", contact);
return "contacts/create";
}
As shown in Listing 17-64, we use the @PreAuthorize annotation (under the package
org.springframework.security.access.prepost) to secure the createForm() method, with an argument
being the expression for security requirements.
Now you can try to directly enter the new contact URL in the browser, and if you are not logged in,
Spring Security will redirect you to the login page, which is the contact list view as configured in the
security-context.xml file.
Support for Servlet 3 Code-Based Configuration
Another new feature in Spring 3.1 relating to the web layer is the support of Servlet 3's code-based
configuration, which provides an alternative to the XML configuration required in the web deployment
descriptor file (web.xml). In this section, we will show you how to use Java code to bootstrap the
DispatcherServlet WebApplicationContext instead of configuring it in the web.xml file.
Search WWH :
Custom Search
Previous Page
Spring Framework 3 Topic Index
Next Page
Spring Framework 3 Bookmarks
Home