June 17, 2019

Check Authentication using Spring MVC and Handler Interceptor

Spring Web MVC framework provides a interceptor mechanism useful when you want to apply specific functionality to certain requests, for example, checking for the user authentication. The basis of this mechanism is the HandlerInterceptor interface. This object that replaces the traditional J2EE Servlet Filter, fits in the Handler life cycle and it is able to perform operations in a totally independent and decoupled way. HandlerInterceptor defines three methods allowing to apply specific operations in the chain-execution of the Handler:

– preHandle: called before the actual handler is executed
– postHandle: called after the handler is executed
– afterCompletion: called after the complete request has finished

In this post I show how to checking the user authentication using the HandlerInterceptor. This example can be useful to understand the interceptor mechanism in the Spring MVC chain-execution. In order to provide a high level view, I sketched some sequence diagrams showing the main use cases about the authentication mechanism. I only show a most basic implementation of the authentication checking. If you are looking for a more secure and reliable solutions about the authentication and access-control process you could take a look at the Spring Security.

1 - Request for base URI

Picture 1 of 4

SOURCE CODE (/giuseu/spring-mvc)

git clone https://gitlab.com/giuseppeurso-eu/spring-mvc

STEP 1. Spring MVC Configuration
STEP 2. Login Components Configuration
STEP 3. Interceptor Configuration

STEP 1. Spring MVC Configuration

At first I create a Spring MVC skeleton using Maven then I import the project in the Eclipse IDE, also I enable the “Project Facets” > “Dynamic Web Module” setting. For the view component I also add some web resources like css, images and javascript libraries .



I define the Spring MVC Servlet Dispatcher and a initial view resolver, here is an excerpt.

I create the Spring MVC Controller instance containing a simple RequestMapping for the welcome.jsp.




STEP 2. Login Components Configuration

I update the Controller to mapping the web application context-root to a login form then I create a jsp page to submit the user credentials. Pay attention to the modelAttribute in the  form:form tag, it must hold the same value defined in the Controller (“loginAttribute“).


STEP 3. Interceptor Configuration

Finally I define in the spring-dispatcher.xml file the HandlerInterceptor implementation. In order to manage the user authentication checking, I override the preHandle method. I use the LOGGEDIN_USER attribute to check the authenticated users in session. To avoid a mistaken redirect loop I exclude the root web context and the login event urls (see above sequence diagram).

Furthermore I must update the Controller adding the login events RequestMapping. The POST method checks the user credentials submitted in the login form. To simulate a Persistence Data Layer I create a simply text file containing the user credential values. To access data I use the java.util ResourceBundle. When Tomcat starts, the servlet container initializes the Request Mapping Handlers, you can see the bottom log messages. When I request the root web context url for the first time, the AuthenticationInterceptor checks the unauthenticaed user then it shows the login page.




In conclusion I’ve only demonstrated the most basic implementation of Handler Interceptor for authetication checking: if we try to access any other URLs without logging into the application it will automatically redirect to login page, contrariwise it will give a response with a welcome page.

Related posts


Leave a Reply

Your email address will not be published.