Spring Security - Pre-Authentication using Header

Spring Security - Pre-Authentication using Header

Spring Security  

In our earlier tutorial we have seen about Spring Security Pre-Authentication using request parameters. In this tutorial we will see about Pre-Authentication by setting header value. For more docs please refer to Spring Docs link.

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 <modelVersion>4.0.0</modelVersion>
 <groupId>com.app.mvc</groupId>
 <artifactId>springsecurity</artifactId>
 <packaging>war</packaging>
 <version>1.0-SNAPSHOT</version>
 <name>Spring Security</name>
 <url>http://maven.apache.org</url>
 <properties>
  <spring.version>3.0.5.RELEASE</spring.version>
  <jackson-mapper-asl.version>1.9.9</jackson-mapper-asl.version>
  <jaxb-api.version>2.2.7</jaxb-api.version>
 </properties>
 <dependencies>
  <dependency>
   <groupId>junit</groupId>
   <artifactId>junit</artifactId>
   <version>3.8.1</version>
   <scope>test</scope>
  </dependency>
  <!-- Spring 3 dependencies -->
  <dependency>
   <groupId>org.springframework</groupId>
   <artifactId>spring-core</artifactId>
   <version>${spring.version}</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>org.springframework</groupId>
   <artifactId>spring-web</artifactId>
   <version>${spring.version}</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>org.springframework</groupId>
   <artifactId>spring-webmvc</artifactId>
   <version>${spring.version}</version>
   <scope>compile</scope>
  </dependency>

  <!-- Spring Security -->
  <dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-core</artifactId>
   <version>${spring.version}</version>
   <type>jar</type>
   <scope>compile</scope>
  </dependency>
  <dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-web</artifactId>
   <version>${spring.version}</version>
   <type>jar</type>
   <scope>compile</scope>
  </dependency>
  <dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-config</artifactId>
   <version>${spring.version}</version>
   <type>jar</type>
   <scope>compile</scope>
  </dependency>
  <dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-taglibs</artifactId>
   <version>${spring.version}</version>
   <type>jar</type>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>javax.servlet</groupId>
   <artifactId>jstl</artifactId>
   <version>1.2</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>taglibs</groupId>
   <artifactId>standard</artifactId>
   <version>1.1.2</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>org.codehaus.jackson</groupId>
   <artifactId>jackson-mapper-asl</artifactId>
   <version>${jackson-mapper-asl.version}</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>javax.xml.bind</groupId>
   <artifactId>jaxb-api</artifactId>
   <version>${jaxb-api.version}</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>javax.servlet</groupId>
   <artifactId>javax.servlet-api</artifactId>
   <version>3.0.1</version>
   <scope>provided</scope>
  </dependency>

 </dependencies>
 <build>
  <finalName>springsecurity</finalName>
 </build>
</project>

web.xml

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

 <display-name>Spring Security</display-name>

 <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>/WEB-INF/spring-mvc-servlet.xml</param-value>
 </context-param>

 <filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>
 <filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>

 <listener>
  <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 </listener>

 <servlet>
  <servlet-name>spring-mvc</servlet-name>
  <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
 </servlet>

 <servlet-mapping>
  <servlet-name>spring-mvc</servlet-name>
  <url-pattern>/*</url-pattern>
 </servlet-mapping>


</web-app>

spring-mvc-servlet.xml

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd
        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
     
     <!-- Annotation are configuring the application -->
     <mvc:annotation-driven/>
 
     <!-- Scan this package for all config annotations -->
 <context:component-scan base-package="com.app.controller" />
 
 <security:http use-expressions="true" auto-config="true" entry-point-ref="http403EntryPoint">
     <!-- Additional http configuration omitted -->
     <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
     <security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
   </security:http>

    <bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
     <property name="principalRequestHeader" value="SM_USER"/>
     <property name="authenticationManager" ref="authenticationManager" />
 </bean>
 
   <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
     <property name="preAuthenticatedUserDetailsService">
        <bean id="userDetailsServiceWrapper"  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
          <property name="userDetailsService" ref="customUserDetailsService"/>
        </bean>
     </property>
    </bean>

    <security:authentication-manager alias="authenticationManager">
       <security:authentication-provider ref="preauthAuthProvider" />
    </security:authentication-manager> 
    
    <bean id="customUserDetailsService" class="com.app.service.CustomUserDetailsService"></bean>
    <bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"></bean>
    
</beans>

Employee.java

package com.app.model;

import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;

@XmlRootElement(name="employee")
@XmlAccessorType(XmlAccessType.NONE)
public class Employee {
 
 @XmlElement(name="empid")
 private String empId;
 
 @XmlElement(name="firstname")
 private String firstName;
 
 @XmlElement(name="lastname")
 private String lastName;
 
 @XmlElement(name="designation")
 private String designation;
 
 public String getEmpId() {
  return empId;
 }
 public void setEmpId(String empId) {
  this.empId = empId;
 }
 public String getFirstName() {
  return firstName;
 }
 public void setFirstName(String firstName) {
  this.firstName = firstName;
 }
 public String getLastName() {
  return lastName;
 }
 public void setLastName(String lastName) {
  this.lastName = lastName;
 }
 public String getDesignation() {
  return designation;
 }
 public void setDesignation(String designation) {
  this.designation = designation;
 } 
}

Employees.java

package com.app.model;

import java.util.Collection;

import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;


@XmlRootElement(name="employees")
@XmlAccessorType(XmlAccessType.NONE)
public class Employees 
{
 @XmlElement(name="employees")
 private Collection<Employee> employees;

 public Collection<Employee> getUsers() {
  return employees;
 }

 public void setUsers(Collection<Employee> employees) {
  this.employees = employees;
 }
}

CustomUserDetailsService.java

package com.app.service;

import java.util.ArrayList;
import java.util.Collection;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

public class CustomUserDetailsService implements UserDetailsService
{
 public UserDetails loadUserByUsername(String userName)
         throws UsernameNotFoundException
    {
  System.out.println("Username::: "+userName);
  UserDetails user = null;
  if(userName.equalsIgnoreCase("admin")){
   user = getAdminUser(userName);
  }else if(userName.equalsIgnoreCase("dba")){
   user = getDBAUser(userName);
  }else if(userName.equalsIgnoreCase("user")){
   user = getUserUser(userName);
  }
  
  if (user == null) {
         throw new UsernameNotFoundException("Invalid user : "+userName);
     }
  
  return user;
    }
 
 private UserDetails getAdminUser(String username) {
     Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
     //Don't change the order
     grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
     grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_DBA"));
     grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
     
     return new User(username, "adminpassword", true, true, true, true,
             grantedAuthorities);
 }

 private UserDetails getDBAUser(String username) {
     Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
     //Don't change the order
     grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_DBA"));
     grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
     return new User(username, "dbapassword", true, true, true, true,
             grantedAuthorities);
 }

 private UserDetails getUserUser(String username) {
     Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
     grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
     return new User(username, "userpassword", true, true, true, true,
             grantedAuthorities);
 }
}

EmployeeController.java

package com.app.controller;

import java.util.ArrayList;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

import com.app.model.Employee;
import com.app.model.Employees;

@Controller
@RequestMapping("/employees")
public class EmployeeController 
{
 @RequestMapping(method = RequestMethod.GET,  headers="Accept=application/xml")
 public @ResponseBody Employees getAllUsers() 
 {
  
  String userRole = getUserRole();
  
  System.out.println("User Role : "+userRole);
        
  Employee emp1 = new Employee();
  
  if(userRole.equals("admin")){
   emp1.setEmpId("101");
   emp1.setFirstName("Steve");
   emp1.setLastName("Smith");
   emp1.setDesignation("ADMIN");
  
  }else if(userRole.equals("dba")){
   emp1.setEmpId("301");
   emp1.setFirstName("Bill");
   emp1.setLastName("Rock");
   emp1.setDesignation("DBA");
  
  }else if(userRole.equals("user")){
   emp1.setEmpId("163");
   emp1.setFirstName("Tim");
   emp1.setLastName("Jack");
   emp1.setDesignation("USER");
  } 
  
  Employees users = new Employees();
  users.setUsers(new ArrayList<Employee>());
  users.getUsers().add(emp1);
  
  return users;
 }
 
 
 private String getUserRole(){
  
  String userRole = "";
  
  SecurityContext context = SecurityContextHolder.getContext();
        Authentication authentication = context.getAuthentication();
        
        for (GrantedAuthority auth : authentication.getAuthorities()) {
            if ("ROLE_ADMIN".equals(auth.getAuthority())){
                userRole = "admin";
                return userRole;
            }
            if ("ROLE_DBA".equals(auth.getAuthority())){
                userRole = "dba";
                return userRole;
            }
            if ("ROLE_USER".equals(auth.getAuthority())){
                userRole = "user";
                return userRole;
            }
        }
        
        return userRole;
 }
}

OUTPUT:

Request without header value - Error page

Request with SM_USER header - Success page

Spring Security - Pre-Authentication

Spring Security - Pre-Authentication

Spring Security  

Using spring security is a scenario where we need to check for users pre-authentication while accessing the application. For example valid user logged-in to ABC application, and inside ABC application there are XYZ services running which require user authentication, but users who access ABC application should not require to authenticate again by XYZ services when they access through ABC application, just need to pre-authenticate by earlier login details. 
Here Spring Security Pre-Authentication plays the role for us. For more details and methods and classes please refer to Spring docs link. 
Directly lets see simple example to authenticate user based on request param. Here all services and pages are filtered through security chain and only valid users can access like "admin", "dba" and "user".

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 <modelVersion>4.0.0</modelVersion>
 <groupId>com.app.mvc</groupId>
 <artifactId>springsecuritybyurl</artifactId>
 <packaging>war</packaging>
 <version>1.0-SNAPSHOT</version>
 <name>Spring Security By URL</name>
 <url>http://maven.apache.org</url>
 <properties>
  <spring.version>3.0.5.RELEASE</spring.version>
  <jackson-mapper-asl.version>1.9.9</jackson-mapper-asl.version>
  <jaxb-api.version>2.2.7</jaxb-api.version>
 </properties>
 <dependencies>
  <dependency>
   <groupId>junit</groupId>
   <artifactId>junit</artifactId>
   <version>3.8.1</version>
   <scope>test</scope>
  </dependency>
  <!-- Spring 3 dependencies -->
  <dependency>
   <groupId>org.springframework</groupId>
   <artifactId>spring-core</artifactId>
   <version>${spring.version}</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>org.springframework</groupId>
   <artifactId>spring-web</artifactId>
   <version>${spring.version}</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>org.springframework</groupId>
   <artifactId>spring-webmvc</artifactId>
   <version>${spring.version}</version>
   <scope>compile</scope>
  </dependency>

  <!-- Spring Security -->
  <dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-core</artifactId>
   <version>${spring.version}</version>
   <type>jar</type>
   <scope>compile</scope>
  </dependency>
  <dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-web</artifactId>
   <version>${spring.version}</version>
   <type>jar</type>
   <scope>compile</scope>
  </dependency>
  <dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-config</artifactId>
   <version>${spring.version}</version>
   <type>jar</type>
   <scope>compile</scope>
  </dependency>
  <dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-taglibs</artifactId>
   <version>${spring.version}</version>
   <type>jar</type>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>javax.servlet</groupId>
   <artifactId>jstl</artifactId>
   <version>1.2</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>taglibs</groupId>
   <artifactId>standard</artifactId>
   <version>1.1.2</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>org.codehaus.jackson</groupId>
   <artifactId>jackson-mapper-asl</artifactId>
   <version>${jackson-mapper-asl.version}</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>javax.xml.bind</groupId>
   <artifactId>jaxb-api</artifactId>
   <version>${jaxb-api.version}</version>
   <scope>compile</scope>
  </dependency>

  <dependency>
   <groupId>javax.servlet</groupId>
   <artifactId>javax.servlet-api</artifactId>
   <version>3.0.1</version>
   <scope>provided</scope>
  </dependency>

 </dependencies>
 <build>
  <finalName>springsecuritybyurl</finalName>
 </build>
</project>

spring-mvc-servlet.xml

<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:security="http://www.springframework.org/schema/security"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
 xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:aop="http://www.springframework.org/schema/aop"
 xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd
        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

 <!-- Annotation are configuring the application -->
 <mvc:annotation-driven />

 <!-- Scan this package for all config annotations -->
 <context:component-scan base-package="com.app.controller" />

 <security:http create-session="never" use-expressions="true"
  auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
  <security:intercept-url pattern="/jsp/access-denied.jsp"
   access="permitAll()" />
  <security:intercept-url pattern="/accessdenied.do"
   access="permitAll()" />
  <security:intercept-url pattern="/**"
   access="hasRole('ROLE_USER')" />
  <security:custom-filter position="PRE_AUTH_FILTER"
   ref="preAuthFilter" />
  <security:session-management
   session-fixation-protection="none" />
 </security:http>

 <bean id="preAuthFilter" class="com.app.filter.UrlParametersAuthenticationFilter">
  <property name="authenticationManager" ref="appControlAuthenticationManager" />
 </bean>

 <bean id="preAuthenticationProvider"
  class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
  <property name="preAuthenticatedUserDetailsService" ref="UserDetailsServiceImpl" />
 </bean>


 <security:authentication-manager alias="appControlAuthenticationManager">
  <security:authentication-provider
   ref="preAuthenticationProvider" />
 </security:authentication-manager>


 <bean id="UserDetailsServiceImpl" class="com.app.security.UserDetailsServiceImpl" />

 <bean id="preAuthenticatedProcessingFilterEntryPoint" class="com.app.security.AuthenticationEntryPointDenied" />


 <!-- <bean id="customUserDetailsService" class="com.app.security.CustomUserDetailsService"></bean> 
  <bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"></bean> -->

</beans>

web.xml

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
 <display-name>Spring Security By URL</display-name>
 <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
   /WEB-INF/spring-mvc-servlet.xml
  </param-value>
 </context-param>

 <filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>

 <filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>

 <listener>
  <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 </listener>

 <listener>
  <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
 </listener>

 <servlet>
  <servlet-name>accessTest</servlet-name>
  <jsp-file>/WEB-INF/jsp/access-denied.jsp</jsp-file>
 </servlet>

 <servlet>
  <servlet-name>spring-mvc</servlet-name>
  <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
 </servlet>


 <servlet-mapping>
  <servlet-name>accessTest</servlet-name>
  <url-pattern>/accessdenied.do</url-pattern>
 </servlet-mapping>

 <servlet-mapping>
  <servlet-name>spring-mvc</servlet-name>
  <url-pattern>/</url-pattern>
 </servlet-mapping>





</web-app>

access-denied.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
<%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jstl/fmt" %>
<%@ taglib prefix="sql" uri="http://java.sun.com/jstl/sql" %>

<html>
 <head>
  <title>Invalid user</title>
 </head>
 <body>
  <h1>Oops, Access denied....</h1> 
 </body>
</html>

UrlParametersAuthenticationFilter.java

package com.app.filter;

import javax.servlet.http.HttpServletRequest;

import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;

public class UrlParametersAuthenticationFilter  extends AbstractPreAuthenticatedProcessingFilter {

 @Override
 protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
  
  //Checking for no. of URL params
  if (request.getParameterMap().size() == 1) {
         return true;
     }
     return false;
 }

 @Override
 protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
  
  String[] credentials = new String[1];
     
  //Getting authentication credentials
  credentials[0] = request.getParameter("param1");
     
     return credentials;
 }

}

AuthenticationEntryPointDenied.java

package com.app.security;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;

public class AuthenticationEntryPointDenied implements AuthenticationEntryPoint {

 public void commence(HttpServletRequest request,
   HttpServletResponse response, AuthenticationException authException)
   throws IOException, ServletException {
  
  // Redirecting service to access denied page for invalid users
  RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
  redirectStrategy.sendRedirect(request, response, "/accessdenied.do");
  
 }

}

UserDetailsServiceImpl.java

package com.app.security;

import java.util.ArrayList;
import java.util.Collection;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

public class UserDetailsServiceImpl implements AuthenticationUserDetailsService {

 public UserDetails loadUserDetails(Authentication token)
   throws UsernameNotFoundException {
  UserDetails userDetails = null;

  String[] credentials = (String[]) token.getCredentials();
  boolean principal = Boolean.valueOf(token.getPrincipal().toString());

  if (credentials != null && principal == true) {
   String name = credentials[0];

   // Setting user Authorities
   if ("admin".equalsIgnoreCase(name)) {
    userDetails = getAdminUser(name);
   } else if ("dba".equalsIgnoreCase(name)) {
    userDetails = getDBAUser(name);
   } else if ("user".equalsIgnoreCase(name)) {
    userDetails = getUserUser(name);
   }
  }

  if (userDetails == null) {
   throw new UsernameNotFoundException("Invalid user - "
     + credentials[0]);
  }

  return userDetails;
 }

 private UserDetails getAdminUser(String username) {
  Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_DBA"));
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
  return new User(username, "notused", true, true, true, true,
    grantedAuthorities);
 }

 private UserDetails getDBAUser(String username) {
  Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_DBA"));
  return new User(username, "notused", true, true, true, true,
    grantedAuthorities);
 }

 private UserDetails getUserUser(String username) {
  Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
  grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
  return new User(username, "notused", true, true, true, true,
    grantedAuthorities);
 }
}

Employee.java

package com.app.model;

import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;

@XmlRootElement(name="employee")
@XmlAccessorType(XmlAccessType.NONE)
public class Employee {
 
 @XmlElement(name="firstName")
 private String firstName;
 
 @XmlElement(name="lastName")
 private String lastName;
 
 @XmlElement(name="role")
 private String role;
 
 public String getFirstName() {
  return firstName;
 }
 public void setFirstName(String firstName) {
  this.firstName = firstName;
 }
 public String getLastName() {
  return lastName;
 }
 public void setLastName(String lastName) {
  this.lastName = lastName;
 }
 public String getRole() {
  return role;
 }
 public void setRole(String role) {
  this.role = role;
 }
}

Employees.java

package com.app.model;

import java.util.Collection;

import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;


@XmlRootElement(name="employees")
@XmlAccessorType(XmlAccessType.NONE)
public class Employees 
{
 @XmlElement(name="employee")
 private Collection<Employee> employees;

 public Collection<Employee> getUsers() {
  return employees;
 }

 public void setUsers(Collection<Employee> employees) {
  this.employees = employees;
 }
}

DemoController.java

package com.app.controller;

import java.util.ArrayList;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

import com.app.model.Employee;
import com.app.model.Employees;

@Controller
@RequestMapping("/employees")
public class DemoController 
{
 @RequestMapping(method = RequestMethod.GET,  headers="Accept=application/xml")
 public @ResponseBody Employees getEmployees() 
 {
  
  String userRole = getUserRole();
  
  System.out.println("User Role : "+userRole);
        
  Employee emp1 = new Employee();
  Employee emp2 = new Employee();
  
  if(userRole.equals("admin")){
  
   emp1.setFirstName("Bala");
   emp1.setLastName("Raj");
   emp1.setRole("ADMIN");
   emp2.setFirstName("Tim");
   emp2.setLastName("Rock");
   emp2.setRole("ADMIN");
  
  }else if(userRole.equals("dba")){
   
   emp1.setFirstName("Steve");
   emp1.setLastName("Jose");
   emp1.setRole("DBA");
   emp2.setFirstName("Bill");
   emp2.setLastName("Fish");
   emp2.setRole("DBA");
   
  }else if(userRole.equals("user")){
   
   emp1.setFirstName("Joy");
   emp1.setLastName("Tiger");
   emp1.setRole("USER");
   emp2.setFirstName("Wood");
   emp2.setLastName("Rich");
   emp2.setRole("USER");
   
  } 
  
  Employees emps = new Employees();
  emps.setUsers(new ArrayList<Employee>());
  emps.getUsers().add(emp1);
  emps.getUsers().add(emp2);
  
  return emps;
 }
 
 private String getUserRole(){
  
  String userRole = "";
  
  SecurityContext context = SecurityContextHolder.getContext();
        Authentication authentication = context.getAuthentication();
        
        for (GrantedAuthority auth : authentication.getAuthorities()) {
            if ("ROLE_ADMIN".equals(auth.getAuthority())){
                userRole = "admin";
                break;
            }
            if ("ROLE_DBA".equals(auth.getAuthority())){
                userRole = "dba";
                break;
            }
            if ("ROLE_USER".equals(auth.getAuthority())){
                userRole = "user";
                break;
            }
        }
        
        return userRole;
 }
}

OUTPUT:

URL : http://localhost:8080/springsecuritybyurl/employees?param1=bill

URL : http://localhost:8080/springsecuritybyurl/employees?param1=admin

Download complete sample project from below link.

Spring Security - Pre-Authentication.