jump to navigation

Using Spring Security in a Swing Desktop application June 12, 2009

Posted by Phill in Frameworks, Spring.
Tags: , ,
trackback

It seems like there’s very little support (in terms of documentation) for using Spring Security in a Swing (or general Desktop) application. All the documentation I could find assumed that Spring Security was going to be used in a web application.

However, it’s very possible to use the security framework in a Swing application – a little custom code is required, but then, that is only to be expected!

Essentially what we did is create a LoginUtils class, which had an authenticate(username, password) method. This referenced the Spring AuthenticationProvider (we’re using a custom LDAP AuthenticationProvider, but you can use whichever suits your needs).

This is what the code looks like:

public Authentication authenticate( String username, String password )
 {
 UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken( username, password );

 Authentication auth = _authProvider.authenticate( token );
 if (null != auth)
 {
 SecurityContextHolder.getContext().setAuthentication( auth );

 _eventPublisher.publishEvent( new InteractiveAuthenticationSuccessEvent( auth, this.getClass() ) );

 return auth;
 }
 throw new BadCredentialsException( "null authentication" );
 }

You can then call this method from wherever you want in your application (for example, from a Login action) and your user will be logged in.

Both _authProvider and _eventPublisher are dependency-injected properties.

Notice the _eventPublisher.publish(…) call.  You do not need this if you have nothing listening out for those events. However, if you do not publish them then they will not be published, so it’s worthwhile doing – particularly if you’re writing a security framework!

The other important thing is – and this is something which caught me out first time round – is that the SecurityContextHolder by default uses a ThreadLocal pattern. For a Swing application you will want the Global pattern. Put this somewhere in your code (i.e. a static initializer, or your main method):

SecurityContextHolder.setStrategyName( SecurityContextHolder.MODE_GLOBAL );

This means that the Authentication object will be available to your entire application – if you don’t do this, objects on a different thread to the one you logged in on will not be able to ‘see’ your credentials. For a while I couldn’t figure out why my Authentication object was coming back as null, until I realised!

Note: this post is application to Spring Security 2.0.4. At the time of writing, version 3 is only at milestone 1 so I have not tried it yet!

About these ads

Comments

1. qixin - July 13, 2009

To be honesy, I couldn’t understand what you wrote dut to i am newbie for spring security. But this article i only one i ‘ve found wrting for swing spring security and i felt you gave a very good clue for that. Thank you . i will continue to dig in spring security. Hopefully, i can understand you soon.

2. Developer Dude - August 24, 2009

Thanks for bringing up a couple of issues I had not thought of, but this is only part of using Spring Security in a Swing app. The login/authentication is fairly straightforward and simple. What is needed beyond that is a pattern for checking authorization, within the app, for given actions and views.

For example, how do you enable/disable a menu item, or decide what data to display to a user by their role?

Sure, you can sprinkle hard coded logic through out the app checking the role of the current user against a particular action/view. But that means when you want to add/change a role, or change the rights for a given component, you have to spelunk your code for that logic, and even then, the logic is not reusable between different apps/modules which may have different requirements for who does/sees what.

Or you can use the Spring Security per method restrictions – which don’t really work very well for enabling/disabling a menu item.

A better mechanism is to use Permissions and to configure those permissions in a policy file. Then in those areas where you need to, you examine the permissions and act accordingly.

There are other issues (forcing a logoff, etc.) but authorization for an action/view, is one of the core behaviors needed in many Swing apps.

3. Phill - August 25, 2009

Hi Developer Dude, it does depend on your app. I think authorization is one of those things which is hard to do right whatever framework you’re using. I’ve never seen a “silver bullet” solution which will work all the time.

Can you recommend anything for Swing which does a better job at managing authorization? I’d love to know how other people manage it, as this is (again) something which isn’t really covered much on the net.

4. Kevin - April 2, 2010

Can you also post your application context XML? I don’t know what how you configured _authProvider and _eventPublisher? In advance, thanks for posting this!

5. Spring Security Authentication Inside a Vaadin Application - June 1, 2010

[…] authentication by yourself. I created a nice Vaadin form for username and password input and used this post to authenticate the user. I used the Spring annotation based injection to get to my authentication […]

6. Menka - September 2, 2010

Would you rather use JAAS for securing swing application? Spring security doesn’t seem to be providing much benefit in client/server kind of situation, where there is RMI involved in accessing authentication call.

7. Joule Qiao - September 10, 2010

Hi, Developer Dude,I use eclipse rcp as my client side technology, and encounter familiar problem. And found out that Eclipse rcp provided a mechanism called activities,which can disable/enable menu/views and actioins, and can be defined declaratively. At early starup of eclipse rcp application lifecycle before application window is open, you can access the rcp context and ask rcp to disable/enable menu/view and actions by the authorities retrieved from spring security. That is, you just present what the user has been authorized to be accessed, and hide not authorized. Hope this helpful.

8. Michael Krog - March 18, 2011

WOOHOO.. Man.. You saved my day.

I was thinking I would be possible to hook into something in Spring, but it was way easier than I thought.

10 minutes and I had it going!

Thx!

9. don - January 10, 2012

Hi Phill,

is it possible to post your applicationContext.xml (or maybe the complete auth project somewhere?)

Thanks
Don

10. pil - February 13, 2012

Thank you so much for posting.I am able to set up authentication as well as global method security for a swing application

11. Danny - July 31, 2012

Thanks for your time to explain this to us. Im new on spring, im going to try your idea


Sorry comments are closed for this entry

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: