Introduction to Spring Security

Spring Security is a Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications. With Spring MVC setup ready with Maven, let’s understand Spring Security with a very simple demo built over Spring MVC.

First and foremost, let’s first configure the dependencies in our pom.xml file.

After this, let’s modify our web.xml file, which must have an added spring security filter configured. On a very high level, this filter ensures that the incoming requests will be handled by spring security.

We specify DelegatingFilterProxy class, which basically fetches the filter name, which in our case is the springSecurityFilterChain, and instantiates the bean with this name in the applicationContext. However, we note that we haven’t defined any bean with the name springSecurityFilterChain, then how is the bean going to get instantiated? It does, through the  element <http auto-config=’true’> we specify in the spring-security.xml. Once Spring finds this element defined, it will try to set up HTTP security, where the bean gets instantiated and gets assigned to the delegate reference. All Filter API calls such as doFilter() method invocations now gets delegated to this bean instance. Also to be noted, that Spring Security is not just one filter in place but has a filter chain comprising a total of nine filters, each responsible for certain functionalities.

The web.xml should look like:

The mvc-dispatcher-servlet.xml is the same as what we had kept for the Spring MVC demo as –

Note the properties we have set for InternalResourceViewResolver in mvc-dispatcher-servlet.xml above. This means that whenever a View is returned by the Spring Controller, JVM will look for that particular View inside /WEB-INF/pages/.

Now let’s create a separate spring-security.xml alongside mvc-dispatcher-servlet.xml, which should look like:

We have already discussed over the <http auto-config=’true’> part. Then there is the intercept-url element, which specifies that a particular URL pattern to be restricted to a particular role.

Also we have deliberately used Spring Security custom login form, where –

  1. login-page=”/login” specifies the page to display the custom login form. So we have a controller method with the request mapping as “login”, which returns the view for login page, along with model with custom error messages.
  2. authentication-failure-url=”/login?authfailed” specifies that if authentication failed, forward to page /login?authfailed. In this case, we are fetching the request param to conditionally return the custom message for failed authentication to be displayed on the login page.
  3. logout-success-url=”/login?logout” specifies that if logout successful, forward to /login?logout.
  4. username-parameter=”username” – specifies that the name of the request which contains the “username”. In HTML, this is the same as the name of the input textbox for username.
  5. default-target-url value is the URL where the user will be redirected after successful login.

Now for the Spring Security to work, we must add the corresponding dependencies into the pom.xml file. So in addition to the existing the Spring framework dependencies, below dependencies also needs to be added to pom.xml.

Finally, there is the controller we have created,, which looks like –

Now lets begin with the creation of JSP files inside /WEB-INF/pages/ as has been configured in the  mvc-dispatcher-servlet.xml.

Lets categorize the views into public and secured, where all the public files reside inside the directory named ‘public’ (/WEB-INF/pages/public) while all secured files reside inside a separate directory named ‘secured’ (/WEB-INF/pages/secured).

Since we have opted for Spring Security custom login form, lets create login.jsp, where the username and password input element names should match with the ones we have specified in the form-login element of spring-security.xml.

So our login.jsp should look something like –

Note that the form action in the login page is specified to be ‘j_spring_security_check‘, which is the default Spring Security login-processor. We can customize it by specifying the login-processor attribute along with login-page attribute in the <form-login> element of spring-security.xml. ‘j_spring_security_check‘ as login form action ensures that the login form values submitted are intercepted by the Spring Security.

Now, once the user with role as ROLE_USER logs-in, Spring Security authenticates the user and redirects them to the /user mapping on successful login, which invokes the respective controller method for user, which further returns the corresponding view to be displayed on the browser. So in our case, the view that is returned on successful login of ROLE_USER is ‘user’, therefore let’s create the user.jsp within the ‘public’ directory (/WEB-INF/pages/public) as we already discussed earlier in this article.

user.jsp should look something like –

Similarly, the view that is returned on successful login of ROLE_ADMIN is ‘admin’, therefore let’s now create the admin.jsp within the ‘secured’ directory (/WEB-INF/pages/secured).

So the admin.jsp should look something like –

Now’s the time to run the application!

Lets quickly navigate to http://localhost:8080/SpringSecurityDemo/login, which invokes the respective controller method for login and returns login as the view, along with model data. Below is how we see the login page as –

Spring Security Demo - Login Page

Let’s try logging-in with wrong credentials, we can see the following –

Spring Security Demo - Authentication Failed

Now try logging-in with user credentials having role as ROLE_USER i.e. username as ‘user’ and password as ‘123’. Once we do this, we can see the following –

Spring Security Demo - User logged in

Now let’s try to access the URL for ‘admin’ i.e http://localhost:8080/SpringSecurityDemo/admin, which should NOT be allowed to a user with role ROLE_USER and should be allowed ONLY to users with role as ROLE_ADMIN.

Spring Security Demo - Access Denied

So yes, it is ‘access denied’, since the user currently logged in has a role ROLE_USER.

Okay, now let’s logout the user and try logging-in with the admin role ROLE_ADMIN i.e. username as ‘admin’ and password as ‘123’.

Spring Security Demo - User logged in

As specified in the spring-security.xml context, the admin role ROLE_ADMIN should be authorized to view both the user page as well as the admin page. User page is already accessible to the admin as can be seen in the above snapshot. Now let’s navigate to the admin page http://localhost:8080/SpringSecurityDemo/admin and check if the page is accessible.

Spring Security Demo - Admin Page

So yes, it is, since the user currently logged in has a role ROLE_ADMIN.

That is it. But before we end up, below is the project structure for your reference that we see after importing it in Eclipse –

Spring Security - Project Structure

Receive our updates to your inbox

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.