Spring Security access control example
In Spring Security, access control or authorization is easy to implement. See following code snippet :
<http auto-config="true">
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
</http>
It means, only user with authority of “ROLE_ADMIN” is allow to access URI /admin*. If non authorized user try to access it, a “http 403 access denied page” will be displayed.
See equivalent version in Spring EL. It is more flexible and contains many useful ready made functions like “hasIpAddress“, make sure check all available el functions in this official Spring el access control documentation.
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')" />
</http>
In this tutorial, we show you how to use Spring Security to implement access control to url “/admin*“, where only user authorized with “ROLE_ADMIN” is allow to access this page.
1. Project Dependencies
Access control is included in core Spring Security jar. Refer to this Spring Security hello world example for list of the required dependencies.
2. Spring MVC
Spring MVC controller and return a “hello” view, it should be self-explanatory.
File : WelcomeController.java
package com.mkyong.common.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class WelcomeController {
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String welcomeAdmin(ModelMap model) {
model.addAttribute("message", "Spring Security - ROLE_ADMIN");
return "hello";
}
}
File : hello.jsp
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<h2>Message : ${message}</h2>
<a href="<c:url value="j_spring_security_logout" />" > Logout</a>
</body>
</html>
3. Spring Security
Full Spring security configuration, only user “eclipse” is allow to access “/admin” page.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true">
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
<logout logout-success-url="/admin" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="mkyong" password="password" authorities="ROLE_USER" />
<user name="eclipse" password="password" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
4. Demo
URL : http://localhost:8080/SpringMVC/admin
1. Default login form is displayed.
2. If user “mkyong” is logged in, “http 403 is access denied page” will be displayed, because “mkyong” is “ROLE_USER“.
3. If user “eclipse” is logged in, “hello.jsp” will be displayed, because “eclipse” is “ROLE_ADMIN“.
Default 403 page is ugly, read this example – How to customize http 403 access denied page in spring security.
Download Source Code
References
About Author
I have a problem with method POST in controllers
Hi
I have read through few Spring security articles and was able to create a web application based on it. However I am stuck now at one point where I am finding no solution.
The problem is how do we integrate Apache WS-XML RPC with Spring Security. Spring security works fine with normal HTTP. However when I have say a XmlRpcServlet which acts as a controller for handling all xmlrpc calls then how do we go
1. Intercept all calls by XmlRpcServlet then pass that call it to the Spring Security filter for authentication/authorization
2. Intercept all calls by Spring security filter authenticate/authorize and the pass it to the XmlRpcServlet for further processing
For me the 1st opinion looks more practical but nt getting an hand on to it. DO you have any idea ? I really nid ur help
sir How to Prevent URL direct Access another Page in Spring
Hi! When i make this tutorial, the Rest services in mi project was blocked. When i remove this code from web.xml
then rest services are working but security didnt.
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
I vwant use spring security and rest services in my project how do this problem?
When I put some tags like this within my page:
test user and test admin will display at runtime anyway?
xmlns:sec=”http://www.springframework.org/security/tags”
test Admin
test User
or
Security.xml
…
Thanks!
Hi, I am a newbie in the spring MVC.
Could you tell me what source code and/or xml displays the default login form shown as the first output?
Best wishes and thanks in advance.
jsoolee
Full Spring security configuration, only user “eclipse” is allow to access “/admin” page — That is correct only for example below, but not in general. If we create user eclipse2 and give him authorities=”ROLE_ADMIN” this user could get access to /admin* too. I would add “With this configuration” or “For this example”
Hello i am newbie to this Spring security.
What i am trying to do is secure my Solr web app so that only admin can perform all the actions and other users can only use the select
the url i want to secure is :
http://ip:1500/solr/collection1/select?q=*%3A*&wt=xml&intend=true
so for securing this i have added the below code in my spring-security.xml
now..
1. If i am trying to hit this url : http://ip:1500/solr
then it is asking for the uname pwd.
2 . if i am trying to hit this url :http://ip:1500/solr/collection1/select?q=*%3A*&wt=xml&intend=true
i am able to access without authentication.
Can you guys help me out please.
Best wishes here. Make enjoyed the things you had proclaimed. Keep going to create definitely bring an alternative voice to this fact subject. A small number of people would most likely say everything that youve said whilst still being make the application interesting. Clearly, at least it is especially interested. Cant wait to find more about this from one.
Hi mkyong,
I already implemented the spring security, however I need to access an external application (i.e http://www.google.com ) withing an iframe, how can I unprotect this URL since I already set up the spring security in my application ?
Thanks. advanced!
Hmm it seems like your blog ate my first comment (it was extremely long)
so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog.
I too am an aspiring blog writer but I’m still new to the whole thing. Do you have any tips for rookie blog writers? I’d certainly appreciate
it.
Hi,
I have implemented basic Spring security in our app(say app1). We have a another app(say app2) , which was accessing the app1 over http. But as we added the security to app1 , now app2 cannot access app1. Can you please help, how do we do pre-auth or some simple way to allow app2 to access app1. thanks.
Regards,
Dewang
really this example very nice use my project
I downloaded this example and deployed to oc4j 10g app server, tried both jdk1.5 and 1.6. The example doesn’t work. There is no error message, just a blank page in the web browser. Can you help?
A lil late but hey… when deploying this to Oracle app server 10g (guessing rel3), make sure ‘Inherit parent application’s shared library imports’ are not checked in Deployment Settings: Configure Class Loading. Had to do this for hibernate jersey ReST apps which uses Spring Security, as well as external web archives like GeoServer…
Check your oc4j log file, it should show you what is the error caused by, and try deploy to other app server to identify if oc4j support Spring Security?