Upload
nikhilbhalwankar1883
View
221
Download
0
Embed Size (px)
Citation preview
8/17/2019 Integrate JCaptcha with Spring Security framework
1/27
Integrating
JCaptcha withSpring Security
8/17/2019 Integrate JCaptcha with Spring Security framework
2/27
Introduction
This document explains how to integrate Jcaptcha with Spring Security framework. Currently,Jcaptcha verifier is written inside Spring Security's uthentication !anager. "owever, there is a
more optimi#ed way in Jcaptcha is not a part of Spring Security's uthentication !anager whichwhich I am still exploring.
Create New Maven Project
Create a new simple !aven $ro%ect in &clipse. ou can search the docmentation for the sameonline.
Create pom.xml (replace XXXX with your desired value)
8/17/2019 Integrate JCaptcha with Spring Security framework
3/27
8/17/2019 Integrate JCaptcha with Spring Security framework
4/27
8/17/2019 Integrate JCaptcha with Spring Security framework
5/27
8/17/2019 Integrate JCaptcha with Spring Security framework
6/27
8/17/2019 Integrate JCaptcha with Spring Security framework
7/27
8/17/2019 Integrate JCaptcha with Spring Security framework
8/27
Create captchacontext.xml
This file contains all the details a(out how Jcaptcha image is created at runtime.
8/17/2019 Integrate JCaptcha with Spring Security framework
9/27
implementation tae wor&s +rom a listJ an& can mae composition to createa text easier to rea& +or a h)man eing. *n the example the @or&Heneratornee&s a Iictionnar1 to get real wor&s +rom. %%'
8/17/2019 Integrate JCaptcha with Spring Security framework
10/27
8/17/2019 Integrate JCaptcha with Spring Security framework
11/27
securitycontext.xml (!prin" !ecurity con#i"uration) (replaceXXXX with your desired value)
I am using plaintext password )no hashing and salting* for this example. +otice the code in (old for
Jcaptcha. Jcaptcha mainly has filters,
-* Capture ilter
* /erifier ilter
The purpose of the Capture $ilter is to store the information entered (y the user in the C$TC"form. 0hereas the %eri#ier #ilter&s purpose is to verify the captcha entered (y the user. If the resultis valid, allow the user to proceed1 otherwise, it will show the login page again.
In this example, Captcha Verifier Filter is added inside Spring Security Authentication Manager.
8/17/2019 Integrate JCaptcha with Spring Security framework
12/27
8/17/2019 Integrate JCaptcha with Spring Security framework
13/27
Maven 'pdate Clean and Install
-* 2ight click on pro%ect from pro%ect explorer
* select 2un s 34 !aven Clean
5* 2ight click on pro%ect from pro%ect explorer6* select 2un s 34 !aven Install
7* 2ight click on $ro%ect from pro%ect explorer8* Select !aven34 9pdate $ro%ect
$aces!ervlet related rror
This step is a must to avoid %avax.faces.we(app.acesServlet related errors.-* 2ight click on $ro%ect
* Select :eployment ssem(ly5* dd !aven :ependiencies directive
faces3config.xml )declare all managed (eans and xhtml files here*
#acescon#i".xml (replace XXXX with your desired value)
8/17/2019 Integrate JCaptcha with Spring Security framework
14/27
8/17/2019 Integrate JCaptcha with Spring Security framework
15/27
/ @return the active#in /public $tring get-ctive#inL 7
if Laces?ontext.get?)rrent*nstance L.getxternal?ontextL.get$essionMapL.containse1L"-?*(E#*," 7
this.active#in = L$tring aces?ontext.get?)rrent*nstance L.getxternal?ontextL.get$essionMapL.getL"-?*(E#*,"
8 else 7this.active#in = "welcome"
8
return active#in8
public void set-ctive#inL$tring active#in 7
aces?ontext.get?)rrent*nstance L.getxternal?ontextL.get$essionMapL
.p)tL"-?*(E#*,"J active#inthis.active#in = active#in
8
public $tring get2ealile$toragePathL 7return aces?ontext.get?)rrent*nstance L.getxternal?ontextL
.get2ealPathL"/"8
public $tring navigateL$tring active#in$tr 7if Lnull K= active#in$tr 7
set-ctive#inLactive#in$tr8
return get-ctive#inL8
public void a&&acesMessageL$everit1 sevJ $tring msg 7aces?ontext.get?)rrent*nstance L.a&&MessageLnullJ
new acesMessageLsevJ msgJ ""8
public $tring getCser,ameParamL 7if Laces?ontext.get?)rrent*nstance L.getxternal?ontextL
.get$essionMapL.containse1L"C$2E,-MEP-2-M" 7this.)ser,ameParam = L$tring
aces?ontext.get?)rrent*nstance L.getxternal?ontextL.get$essionMapL.getL"C$2E,-MEP-2-M"
8return )ser,ameParam
8
public boolean is#ogge&*nCserL 7xternal?ontext ext?txt = aces?ontext.get?)rrent*nstance L
.getxternal?ontextL$tring remoteCser = ext?txt.get2emoteCserLif LremoteCser K= null 7
return true
8 else return false8
8/17/2019 Integrate JCaptcha with Spring Security framework
16/27
/ @param )ser,ameParam the )ser,ameParam to set /public void setCser,ameParamL$tring )ser,ameParam 7
this.)ser,ameParam = )ser,ameParam8
8
+o"in'IController.java (replace XXXX with your desiredvalue)
This %ava class with authenticate user through spring security using the entered username andpassword com(ination and Jcaptcha.
package .)i
import javax.+aces.context.aces?ontext
import org.spring+ramewor.eans.+actor1.annotation.-)towire&import org.spring+ramewor.stereot1pe.?ontrollerimport .sec)rit1.-)thentication$ervice
Q?ontrollerpublic class #oginC*?ontroller extends AaseC*?ontroller 7
private static final long serial(ersionC*I = !#private $tring )ser,ameprivate $tring passwor&
private $tring message private $tring captcha$tring
Q-)towire&private -)thentication$ervice a)thentication$ervice
public $tring loginL 7boolean s)ccess = a)thentication$ervice.loginL)ser,ameJ passwor&
if Ls)ccess 7$tringA)il&er )ser,ameA)il&er = new $tringA)il&erL)ser,ameA)il&er.appen&L)ser,ameaces?ontext.get?)rrent*nstance L.getxternal?ontextL
.get$essionMapL
.p)tL"C$2E,-MEP-2-M"J)ser,ameA)il&er.to$tringL
return "in&ex"8 else 7
this.message = "@rong Csername or Passwor& ntere&. Please#OH*, again."
this.)ser,ame = nullthis.passwor& = nullthis.captcha$tring = null
return "login"8
8
8/17/2019 Integrate JCaptcha with Spring Security framework
17/27
public $tring logo)tL 7a)thentication$ervice.logo)tLaces?ontext.get?)rrent*nstance L.getxternal?ontextL.get$essionMapL.clearLthis.)ser,ame = nullthis.passwor& = nullthis.captcha$tring = null
aces?ontext.get?)rrent*nstance L.getxternal?ontextL.invali&ate$essionL
return "login"8
/ @return the )ser,ame /public $tring getCser,ameL 7
return )ser,ame8
/ @param )ser,ame the )ser,ame to set /public void setCser,ameL$tring )ser,ame 7
this.)ser,ame = )ser,ame8
/ @return the passwor& /public $tring getPasswor&L 7
return passwor&
8
/ @param passwor& the passwor& to set /public void setPasswor&L$tring passwor& 7
this.passwor& = passwor&8
/ @return the message /public $tring getMessageL 7
return message8
/ @param message the message to set /public void setMessageL$tring message 7
this.message = message8
/ @return the a)thentication$ervice /public -)thentication$ervice get-)thentication$erviceL 7
8/17/2019 Integrate JCaptcha with Spring Security framework
18/27
return a)thentication$ervice8
/ @param a)thentication$ervice the a)thentication$ervice to set /
public void set-)thentication$erviceL-)thentication$ervice a)thentication$ervice 7this.a)thentication$ervice = a)thentication$ervice
8
/ @return the captcha$tring /public $tring get?aptcha$tringL 7
return captcha$tring8
/
@param captcha$tring the captcha$tring to set /public void set?aptcha$tringL$tring captcha$tring 7
this.captcha$tring = captcha$tring8
8
,bConnectionController.java (replace XXXX with yourdesired value)
It is always advisa(le to create a seperate controller class for storing data(ase connection details. In
entire pro%ect, only this file should have hard coded data(ase connection details so that in case of
changing the connection details, only one file needs to (e modified.
package .&ataase
import java.s9l.?onnectionimport java.s9l.IriverManagerimport java.s9l.2es)lt$etimport java.s9l.$tatement
public class I?onnection?ontroller 7
?onnection conn$tatement stmtIriverManager &riverManager
public I?onnection?ontrollerL 7try 7
?lass.+or,ame L"com.m1s9l.j&c.Iriver".new*nstanceLconn = IriverManager.get?onnection L
"j&c:m1s9l://localhost:330;/IA"J "IAEC$2"J"IAEP@I"
stmt = conn.create$tatementL8 catch Lxception e 7
// TODO -)to%generate& catch loce.print$tacraceL
8/17/2019 Integrate JCaptcha with Spring Security framework
19/27
88
public ?onnection get?onnL 7return conn
8
public void set?onnL?onnection conn 7this.conn = conn8
public $tatement get$tmtL 7return stmt
8
public void set$tmtL$tatement stmt 7this.stmt = stmt
8
public IriverManager getIriverManagerL 7
return &riverManager8
public void setIriverManagerLIriverManager &riverManager 7this.&riverManager = &riverManager
88
CaptchaCapture$ilter.java (replace XXXX with your desiredvalue)
There will (e an input text (ox field on =ogin page where user enters the captcha string seeing the
Jcaptcha image. The value of this string parameter needs to (e captured. >nce the value is captured,
the framework processes remaining filters in pipeline.
package XXXX.captcha;
import java.io.*Oxception
import javax.servlet.ilter?hainimport javax.servlet.$ervletxceptionimport javax.servlet.http.ttp$ervlet2e9)est
import javax.servlet.http.ttp$ervlet2esponse
import org.spring+ramewor.we.+ilter.OncePer2e9)estilter
public class ?aptcha?apt)reilter extends OncePer2e9)estilter 7private $tring )ser?aptcha2esponseprivate ttp$ervlet2e9)est re9)est
QOverri&epublic void &oilter*nternalLttp$ervlet2e9)est re9J
ttp$ervlet2esponse resJ ilter?hain chain throws *OxceptionJ
$ervletxception 7
// -ssign val)es onl1 when )ser has s)mitte& a ?aptcha val)e.// @itho)t this con&ition the val)es will e reset &)e to
8/17/2019 Integrate JCaptcha with Spring Security framework
20/27
re&irection// an& ?aptcha(eri+ierilter will enter an in+inite loop
if Lre9.getParameterL"loginorm:jcaptcha$tring" K= null 7re9)est = re9)ser?aptcha2esponse =
re9.getParameterL"loginorm:jcaptcha$tring"
8
// Procee& with the remaining +ilterschain.&oilterLre9J res
8
/ @return the )ser?aptcha2esponse /public $tring getCser?aptcha2esponseL 7
return )ser?aptcha2esponse
8
/ @param )ser?aptcha2esponse the )ser?aptcha2esponse to set /public void setCser?aptcha2esponseL$tring )ser?aptcha2esponse 7
this.)ser?aptcha2esponse = )ser?aptcha2esponse8
/ @return the re9)est /
public ttp$ervlet2e9)est get2e9)estL 7return re9)est
8
/ @param re9)est the re9)est to set /public void set2e9)estLttp$ervlet2e9)est re9)est 7
this.re9)est = re9)est8
8
-uthentication!ervice (Inter#ace declaration) (replace XXXXwith your desired value)
package XXXX.security;
public interface -)thentication$ervice 7
public boolean loginL$tring )sernameJ $tring passwor&
public void logo)tL8
8/17/2019 Integrate JCaptcha with Spring Security framework
21/27
-uthentication!erviceImpl (Inter#ace implementation)(replace XXXX with your desired value)
The authentication service checks (oth username
8/17/2019 Integrate JCaptcha with Spring Security framework
22/27
7 +lag! = true
captcha?apt)reilter.setCser?aptcha2esponseLnull 8
8
-)thentication a)thenticate = a)thenticationManager.a)thenticateLnew CsernamePasswor&-)thenticationoenL
)sernameJ passwor&if La)thenticate.is-)thenticate&L 7
$ec)rit1?ontextol&er.get?ontext L.set-)thenticationLa)thenticate
+lag = true8
//i+ captcha an& )sername/passwor& cominations oth arecorrect
//then onl1 allow login. Otherwise no.
ifL+lag! == true SS +lag == truereturn true
else return false
8 catch L-)thenticationxception e 7e.print$tacraceL
8
return false8
QOverri&epublic void logo)tL 7
$ec)rit1?ontextol&er.get?ontext L.set-)thenticationLnull8
/ @return the +lag! /public boolean islag!L 7
return +lag!8
/ @param +lag! the +lag! to set /public void setlag!Lboolean +lag! 7
this.+lag! = +lag!8
/ @return the +lag /public boolean islagL 7
return +lag8
/
@param +lag the +lag to set /public void setlagLboolean +lag 7
this.+lag = +lag
8/17/2019 Integrate JCaptcha with Spring Security framework
23/27
8
/ @return the captchaPasse& /public boolean is?aptchaPasse&L 7
return captchaPasse&
8
/ @param captchaPasse& the captchaPasse& to set /public void set?aptchaPasse&Lboolean captchaPasse& 7
this.captchaPasse& = captchaPasse&8
/ @return the captcha?apt)reilter /public ?aptcha?apt)reilter get?aptcha?apt)reilterL 7
return captcha?apt)reilter8
/ @param captcha?apt)reilter the captcha?apt)reilter to set /public void set?aptcha?apt)reilterL?aptcha?apt)reilter
captcha?apt)reilter 7this.captcha?apt)reilter = captcha?apt)reilter
88
+o"in'ser.java (replace XXXX with your desired value)
package XXXX.security;
import java.s9l.2es)lt$etimport java.s9l.$T#xceptionimport org.spring+ramewor.stereot1pe.2epositor1import .&ataase.I?onnection?ontroller
Q2epositor1
public class #oginCser 7
I?onnection?ontroller &?onnection?ontroller2es)lt$et res)lt$et
public Cserntit1 getCserL$tring )ser,ame throws ?lass,oto)n&xception 7
Cserntit1 )ser = new Cserntit1L&?onnection?ontroller = new I?onnection?ontrollerL$tring 9)er1 = "$#? 2OM #OH*, @2 C$2,-M = R" U )ser,ame
U "R"
try 7
res)lt$et =&?onnection?ontroller.get$tmtL.exec)teT)er1L9)er1
if Lres)lt$et.nextL 7)ser.setCsernameLres)lt$et.get$tringL!
8/17/2019 Integrate JCaptcha with Spring Security framework
24/27
)ser.setPasswor&Lres)lt$et.get$tringL)ser.set$)perCserLres)lt$et.get$tringL3)ser.set)llnameLres)lt$et.get$tringL4)ser.setIepartmentLres)lt$et.get$tringL
8
&?onnection?ontroller.set?onnLnull
&?onnection?ontroller.set$tmtLnullthis.&?onnection?ontroller = null
8 catch L$T#xception e 7
e.print$tacraceLreturn null
8
return )ser8
/
@return the &?onnection?ontroller /public I?onnection?ontroller getI?onnection?ontrollerL 7
return &?onnection?ontroller8
/ @param &?onnection?ontroller the &?onnection?ontroller to set /public void setI?onnection?ontrollerL
I?onnection?ontroller &?onnection?ontroller 7this.&?onnection?ontroller = &?onnection?ontroller
8
/ @return the res)lt$et /public 2es)lt$et get2es)lt$etL 7
return res)lt$et8
/ @param res)lt$et the res)lt$et to set /public void set2es)lt$etL2es)lt$et res)lt$et 7
this.res)lt$et = res)lt$et8
8
'serntity.java (replace XXXX with your desired value)
pacage .sec)rit1
public class Cserntit1 7
private $tring )sername
private $tring passwor&
8/17/2019 Integrate JCaptcha with Spring Security framework
25/27
private $tring s)perCser
private $tring +)llname
private $tring Iepartment
public $tring getCsernameL 7return )sername8
public void setCsernameL$tring )sername 7this.)sername = )sername
8
public $tring getPasswor&L 7return passwor&
8
public void setPasswor&L$tring passwor& 7
this.passwor& = passwor&8
public $tring get$)perCserL 7return s)perCser
8
public void set$)perCserL$tring s)perCser 7this.s)perCser = s)perCser
8
public $tring get)llnameL 7return +)llname
8
public void set)llnameL$tring +)llname 7this.+)llname = +)llname
8
public $tring getIepartmentL 7return Iepartment
8
public void setIepartmentL$tring &epartment 7Iepartment = &epartment
88
'ser,etailsMana"er.java (replace XXXX with your desiredvalue)
package XXXX.security;
import org.spring+ramewor.sec)rit1.core.)ser&etails.Cserimport org.spring+ramewor.sec)rit1.core.)ser&etails.Csername,oto)n&xception
import org.spring+ramewor.stereot1pe.$erviceimport org.spring+ramewor.sec)rit1.core.)ser&etails.CserIetailsimport org.spring+ramewor.sec)rit1.core.)ser&etails.CserIetails$erviceimport org.spring+ramewor.transaction.annotation.ransactional
8/17/2019 Integrate JCaptcha with Spring Security framework
26/27
import org.spring+ramewor.sec)rit1.core.a)thorit1.-)thorit1Ctils
Q$ervicepublic class CserIetailsManager implements CserIetails$ervice 7
QOverri&eQransactional
public CserIetails loa&CserA1CsernameLfinal $tring )ser,amethrows Csername,oto)n&xception 7
boolean enale& = trueboolean acco)nt,onxpire& = trueboolean cre&entials,onxpire& = trueboolean acco)nt,on#oce& = true
Cserntit1 )serntit1 = new Cserntit1L#oginCser loginCser = new #oginCserL
try 7)serntit1 = loginCser.getCserL)ser,ame
8 catch Lxception e 7e.print$tacraceL
8
return new CserL)serntit1.getCsernameLJ )serntit1.getPasswor&LJenale&J acco)nt,onxpire&J cre&entials,onxpire&Jacco)nt,on#oce&J -)thorit1Ctils.,OE-CO2**
8/17/2019 Integrate JCaptcha with Spring Security framework
27/27
2:@ varchar)67* C>==T& utfBunicodeci +>T +9==,@S9$&29S&2@ varchar)-D* C>==T& utfBunicodeci :&9=T +9==,
@9==+!&@ varchar)ED* C>==T& utfBunicodeci :&9=T +9==,
@:&$2T!&+T@ varchar)67* C>==T& utfBunicodeci :&9=T +9==,$2I!2 F& )@9S&2+!&@*
* &+AI+&GInno:? :&9=T C"2S&TGutfB C>==T&GutfBunicodeci1