Custom Security Via Hashing Password, Use Express For Roles & Handle Browser Cashe.

Servlet configuration To Manage MVC architecture.

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:int-security="http://www.springframework.org/schema/integration/security"
    xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security"
    xmlns:jms="http://www.springframework.org/schema/jms" xmlns:amq="http://activemq.apache.org/schema/core"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
        http://www.springframework.org/schema/integration/security http://www.springframework.org/schema/integration/security/spring-integration-security-2.0.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
        http://www.springframework.org/schema/jms http://www.springframework.org/schema/jms/spring-jms-3.0.xsd
        http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core-5.5.0.xsd
        http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd">
   

    <context:component-scan base-package="com.techa2zsoln.dyndb.*"></context:component-scan>
   
    <bean id="viewResolver"    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
        <property name="prefix" value="/WEB-INF/pages/" />
        <property name="suffix" value=".jsp" />
    </bean>
   
    <!-- It's use to privent browser cashe.. when user logout, on back button not showing inner pages. -->
    <mvc:interceptors>
        <bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor"  >
            <property name="cacheSeconds" value="0" />
            <property name="useExpiresHeader" value="true" />
            <property name="useCacheControlHeader" value="true" />
            <property name="useCacheControlNoStore" value="true" />
        </bean>
    </mvc:interceptors>
   
   
</beans>



 Here declare spring security-configuration xml file.
<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    <!-- custom form security developed using spring -->
    <security:http auto-config="true" use-expressions="true" >
        <!-- <security:intercept-url pattern="/successurl/**" access="ROLE_USER" /> -->
        <security:intercept-url pattern="/successurl/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER') and hasIpAddress('127.0.0.1')" />
        <security:form-login login-page="/login" default-target-url="/successurl" authentication-failure-url="/loginfailed" />
        <security:logout logout-success-url="/"/>
    </security:http>
   
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider>
            <security:password-encoder ref="encoder" />
            <security:user-service>
                <security:user name="wasim" password="$2a$12$/1PpWxv2PFqIHazNGCcaluiFleb9LPDR7D5Z6LrcPjcaUbMby5H7m" authorities="ROLE_ADMIN" />
                <security:user name="ansari" password="$2a$12$.YjS6DYvOVnLZgcV7P3cpubKqOfddisb.8iGQAgz7mmbPiRmcgq5C" authorities="ROLE_USER"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" >
        <constructor-arg value="12" />
    </bean>
   
   
</beans>

When every required to authenticate using custom class by implementing AuthenticationSuccessHandler. 

Remove default-target-url and placed authentication-success-handler-ref="customAuthSuccessHandler"

and add referral bean properties.

<bean id="customAuthSuccessHandler" class="com.dyn.serv.auth.CustomAuthSuccessHandler" ></bean>


public class CustomAuthSuccessHandler implements AuthenticationSuccessHandler {
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request,
            HttpServletResponse response, Authentication authentication) throws IOException,
            ServletException {
        //do some logic here if you want something to be done whenever
        //the user successfully logs in.

        HttpSession session = request.getSession();
        User authUser = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        session.setAttribute("username", authUser.getUsername());
        session.setAttribute("authorities", authentication.getAuthorities());

        //set our response to OK status
        response.setStatus(HttpServletResponse.SC_OK);

        //since we have created our custom success handler, its up to us to where
        //we will redirect the user after successfully login
        response.sendRedirect("successurl");
    }
}