Main Tutorials

Spring Security form login using database

In this tutorial, we will show you how to perform database authentication (using both XML and Annotations) in Spring Security.

Technologies used :

  1. Spring 3.2.8.RELEASE
  2. Spring Security 3.2.3.RELEASE
  3. Spring JDBC 3.2.3.RELEASE
  4. Eclipse 4.2
  5. JDK 1.6
  6. Maven 3
  7. Tomcat 6 or 7 (Servlet 3.x)
  8. MySQL Server 5.6

Previous login-form in-memory authentication will be reused, enhance to support the following features :

  1. Database authentication, using Spring-JDBC and MySQL.
  2. Spring Security, JSP TagLib, sec:authorize access="hasRole('ROLE_USER')
  3. Customize a 403 access denied page.

1. Project Demo

2. Project Directory

Review the final project structure (XML-based) :

spring-security-database-xml-directory

Review the final project structure (Annotation-based):

spring-security-database-annotation-directory

3. Project Dependencies

Get dependency for Spring, Spring Security, JDBC, Taglib and MySQL

pom.xml

	<properties>
		<jdk.version>1.6</jdk.version>
		<spring.version>3.2.8.RELEASE</spring.version>
		<spring.security.version>3.2.3.RELEASE</spring.security.version>
		<jstl.version>1.2</jstl.version>
		<mysql.connector.version>5.1.30</mysql.connector.version>
	</properties>

	<dependencies>

		<!-- Spring 3 dependencies -->
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-core</artifactId>
			<version>${spring.version}</version>
		</dependency>

		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-web</artifactId>
			<version>${spring.version}</version>
		</dependency>

		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-webmvc</artifactId>
			<version>${spring.version}</version>
		</dependency>

		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-jdbc</artifactId>
			<version>${spring.version}</version>
		</dependency>

		<!-- Spring Security -->
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
			<version>${spring.security.version}</version>
		</dependency>

		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
			<version>${spring.security.version}</version>
		</dependency>

		<!-- Spring Security JSP Taglib -->
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-taglibs</artifactId>
			<version>${spring.security.version}</version>
		</dependency>

		<!-- jstl for jsp page -->
		<dependency>
			<groupId>jstl</groupId>
			<artifactId>jstl</artifactId>
			<version>${jstl.version}</version>
		</dependency>

                <!-- connect to mysql -->
		<dependency>
			<groupId>mysql</groupId>
			<artifactId>mysql-connector-java</artifactId>
			<version>${mysql.connector.version}</version>
		</dependency>

	</dependencies>
	
</project>

4. Database

To perform database authentication, you have to create tables to store the users and roles detail. Please refer to this Spring Security user-schema reference. Here are the MySQL scripts to create users and user_roles tables.

4.1 Create a “users” table.

users.sql

CREATE  TABLE users (
  username VARCHAR(45) NOT NULL ,
  password VARCHAR(45) NOT NULL ,
  enabled TINYINT NOT NULL DEFAULT 1 ,
  PRIMARY KEY (username));

4.2 Create a “user_roles” table.

user_roles.sql

CREATE TABLE user_roles (
  user_role_id int(11) NOT NULL AUTO_INCREMENT,
  username varchar(45) NOT NULL,
  role varchar(45) NOT NULL,
  PRIMARY KEY (user_role_id),
  UNIQUE KEY uni_username_role (role,username),
  KEY fk_username_idx (username),
  CONSTRAINT fk_username FOREIGN KEY (username) REFERENCES users (username));

4.3 Inserts some records for testing.


INSERT INTO users(username,password,enabled)
VALUES ('mkyong','123456', true);
INSERT INTO users(username,password,enabled)
VALUES ('alex','123456', true);

INSERT INTO user_roles (username, role)
VALUES ('mkyong', 'ROLE_USER');
INSERT INTO user_roles (username, role)
VALUES ('mkyong', 'ROLE_ADMIN');
INSERT INTO user_roles (username, role)
VALUES ('alex', 'ROLE_USER');
Note

  1. Username “mkyong”, with role_user and role_admin.
  2. Username “alexa”, with role_user.

5. Spring Security Configuration

Spring Security in both XML and annotations.

5.1 Create a DataSource to connect MySQL.

spring-database.xml

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">

	<bean id="dataSource"
		class="org.springframework.jdbc.datasource.DriverManagerDataSource">

		<property name="driverClassName" value="com.mysql.jdbc.Driver" />
		<property name="url" value="jdbc:mysql://localhost:3306/test" />
		<property name="username" value="root" />
		<property name="password" value="password" />
	</bean>

</beans>

The equivalent of the Spring annotations :

SecurityConfig.java

package com.mkyong.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.jdbc.datasource.DriverManagerDataSource;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;

@EnableWebMvc
@Configuration
@ComponentScan({ "com.mkyong.web.*" })
@Import({ SecurityConfig.class })
public class AppConfig {

	@Bean(name = "dataSource")
	public DriverManagerDataSource dataSource() {
	    DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource();
	    driverManagerDataSource.setDriverClassName("com.mysql.jdbc.Driver");
	    driverManagerDataSource.setUrl("jdbc:mysql://localhost:3306/test");
	    driverManagerDataSource.setUsername("root");
	    driverManagerDataSource.setPassword("password");
	    return driverManagerDataSource;
	}
	
	@Bean
	public InternalResourceViewResolver viewResolver() {
	    InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
	    viewResolver.setViewClass(JstlView.class);
	    viewResolver.setPrefix("/WEB-INF/pages/");
	    viewResolver.setSuffix(".jsp");
	    return viewResolver;
	}
	
}

5.2 Use jdbc-user-service to define a query to perform database authentication.

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
	http://www.springframework.org/schema/security
	http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <!-- enable use-expressions -->
	<http auto-config="true" use-expressions="true">
		
		<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
		
		<!-- access denied page -->
		<access-denied-handler error-page="/403" />
		
		<form-login 
		    login-page="/login" 
		    default-target-url="/welcome" 
			authentication-failure-url="/login?error" 
			username-parameter="username"
			password-parameter="password" />
		<logout logout-success-url="/login?logout"  />
		<!-- enable csrf protection -->
		<csrf/>
	</http>
	
	<!-- Select users and user_roles from database -->
	<authentication-manager>
	  <authentication-provider>
		<jdbc-user-service data-source-ref="dataSource"
		  users-by-username-query=
		    "select username,password, enabled from users where username=?"
		  authorities-by-username-query=
		    "select username, role from user_roles where username =?  " />
	  </authentication-provider>
	</authentication-manager>

</beans:beans>

The equivalent of the Spring Security annotations :

SecurityConfig.java

package com.mkyong.config;

import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

	@Autowired
	DataSource dataSource;
	
	@Autowired
	public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
		
	  auth.jdbcAuthentication().dataSource(dataSource)
		.usersByUsernameQuery(
			"select username,password, enabled from users where username=?")
		.authoritiesByUsernameQuery(
			"select username, role from user_roles where username=?");
	}	
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {

	  http.authorizeRequests()
		.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
		.and()
		  .formLogin().loginPage("/login").failureUrl("/login?error")
		  .usernameParameter("username").passwordParameter("password")
		.and()
		  .logout().logoutSuccessUrl("/login?logout")
		.and()
		  .exceptionHandling().accessDeniedPage("/403")
		.and()
		  .csrf();
	}
}

6. JSP Pages

JSP pages for custom login page.

6.1 Default page, show the use of Spring Security JSP taglib sec:authorize to display content to users who have “ROLE_USER” authority.

hello.jsp

<%@taglib prefix="sec"
	uri="http://www.springframework.org/security/tags"%>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
	<h1>Title : ${title}</h1>
	<h1>Message : ${message}</h1>

	<sec:authorize access="hasRole('ROLE_USER')">
		<!-- For login user -->
		<c:url value="/j_spring_security_logout" var="logoutUrl" />
		<form action="${logoutUrl}" method="post" id="logoutForm">
			<input type="hidden" name="${_csrf.parameterName}"
				value="${_csrf.token}" />
		</form>
		<script>
			function formSubmit() {
				document.getElementById("logoutForm").submit();
			}
		</script>

		<c:if test="${pageContext.request.userPrincipal.name != null}">
			<h2>
				User : ${pageContext.request.userPrincipal.name} | <a
					href="javascript:formSubmit()"> Logout</a>
			</h2>
		</c:if>


	</sec:authorize>
</body>
</html>

6.2 Page to display the custom login form.

login.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>
<html>
<head>
<title>Login Page</title>
<style>
.error {
	padding: 15px;
	margin-bottom: 20px;
	border: 1px solid transparent;
	border-radius: 4px;
	color: #a94442;
	background-color: #f2dede;
	border-color: #ebccd1;
}

.msg {
	padding: 15px;
	margin-bottom: 20px;
	border: 1px solid transparent;
	border-radius: 4px;
	color: #31708f;
	background-color: #d9edf7;
	border-color: #bce8f1;
}

#login-box {
	width: 300px;
	padding: 20px;
	margin: 100px auto;
	background: #fff;
	-webkit-border-radius: 2px;
	-moz-border-radius: 2px;
	border: 1px solid #000;
}
</style>
</head>
<body onload='document.loginForm.username.focus();'>

	<h1>Spring Security Login Form (Database Authentication)</h1>

	<div id="login-box">

		<h2>Login with Username and Password</h2>

		<c:if test="${not empty error}">
			<div class="error">${error}</div>
		</c:if>
		<c:if test="${not empty msg}">
			<div class="msg">${msg}</div>
		</c:if>

		<form name='loginForm'
		  action="<c:url value='/j_spring_security_check' />" method='POST'>

		<table>
			<tr>
				<td>User:</td>
				<td><input type='text' name='username'></td>
			</tr>
			<tr>
				<td>Password:</td>
				<td><input type='password' name='password' /></td>
			</tr>
			<tr>
				<td colspan='2'><input name="submit" type="submit"
				  value="submit" /></td>
			</tr>
		  </table>

		  <input type="hidden" name="${_csrf.parameterName}"
			value="${_csrf.token}" />

		</form>
	</div>

</body>
</html>

6.3 This page is password protected, only authenticated user “ROLE_ADMIN” is allowed to access.

admin.jsp

<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>
<html>
<body>
	<h1>Title : ${title}</h1>
	<h1>Message : ${message}</h1>

	<c:url value="/j_spring_security_logout" var="logoutUrl" />
	<form action="${logoutUrl}" method="post" id="logoutForm">
		<input type="hidden" name="${_csrf.parameterName}"
			value="${_csrf.token}" />
	</form>
	<script>
		function formSubmit() {
			document.getElementById("logoutForm").submit();
		}
	</script>

	<c:if test="${pageContext.request.userPrincipal.name != null}">
		<h2>
			Welcome : ${pageContext.request.userPrincipal.name} | <a
				href="javascript:formSubmit()"> Logout</a>
		</h2>
	</c:if>

</body>
</html>

6.4 Custom 403 access denied page.

403.jsp

<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
	<h1>HTTP Status 403 - Access is denied</h1>

	<c:choose>
		<c:when test="${empty username}">
		  <h2>You do not have permission to access this page!</h2>
		</c:when>
		<c:otherwise>
		  <h2>Username : ${username} <br/>
                    You do not have permission to access this page!</h2>
		</c:otherwise>
	</c:choose>

</body>
</html>

7. Spring MVC Controller

A simple controller.

MainController.java

package com.mkyong.web.controller;

import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class MainController {

	@RequestMapping(value = { "/", "/welcome**" }, method = RequestMethod.GET)
	public ModelAndView defaultPage() {

	  ModelAndView model = new ModelAndView();
	  model.addObject("title", "Spring Security Login Form - Database Authentication");
	  model.addObject("message", "This is default page!");
	  model.setViewName("hello");
	  return model;

	}

	@RequestMapping(value = "/admin**", method = RequestMethod.GET)
	public ModelAndView adminPage() {

	  ModelAndView model = new ModelAndView();
	  model.addObject("title", "Spring Security Login Form - Database Authentication");
	  model.addObject("message", "This page is for ROLE_ADMIN only!");
	  model.setViewName("admin");
	  return model;

	}

	@RequestMapping(value = "/login", method = RequestMethod.GET)
	public ModelAndView login(@RequestParam(value = "error", required = false) String error,
		@RequestParam(value = "logout", required = false) String logout) {

	  ModelAndView model = new ModelAndView();
	  if (error != null) {
		model.addObject("error", "Invalid username and password!");
	  }

	  if (logout != null) {
		model.addObject("msg", "You've been logged out successfully.");
	  }
	  model.setViewName("login");

	  return model;

	}
	
	//for 403 access denied page
	@RequestMapping(value = "/403", method = RequestMethod.GET)
	public ModelAndView accesssDenied() {

	  ModelAndView model = new ModelAndView();
		
	  //check if user is login
	  Authentication auth = SecurityContextHolder.getContext().getAuthentication();
	  if (!(auth instanceof AnonymousAuthenticationToken)) {
		UserDetails userDetail = (UserDetails) auth.getPrincipal();	
		model.addObject("username", userDetail.getUsername());
	  }
		
	  model.setViewName("403");
	  return model;

	}

}

8. Demo

8.1. Default Page
XML – http://localhost:8080/spring-security-loginform-database/
Annotation – http://localhost:8080/spring-security-loginform-database-annotation/

spring-security-database-default

8.2 Try to access /admin page, only “mkyong” ROLE_ADMIN is allowed to access.

spring-security-database-admin

8.3. If “alex” is try to access /admin, 403 access denied page is displayed.

spring-security-database-403

8.3 “alex” in default page, show the use of sec:authorize

spring-security-database-sec-tag

8.4. If “mkyong” is try to access /admin, admin page is displayed.

spring-security-database-admin-login

Download Source Code

Download XML version – spring-security-login-form-database-xml.zip (16 KB)
Download Annotation version – spring-security-login-form-database-annotation.zip (22 KB)

References

  1. Spring Security Reference – jdbc-ser-service
  2. Spring Security Reference – juser-schema
  3. Spring Security Reference – taglibs
  4. Spring Security Hello World Annotation Example
  5. Creating a Custom Login Form
  6. Spring Security – How to customize 403 access denied page

About Author

author image
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.

Comments

Subscribe
Notify of
157 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
fsl4faisal
8 years ago

No bean named ‘dataSource’ is defined..I got this error

Chaitnahya
6 years ago
Reply to  fsl4faisal

Create a database name with “test” and create tables there.Refer 4.1 and 4.2 in this page.

Pankaj
5 years ago
Reply to  Chaitnahya

i already did that but still geting same error. Please suggest.

Imran Rajjad
7 years ago

Its working on Windows7 but on WindowsServer 2012R2, it says invalid login, when the database , jdk and tomcat are same on both machines. What could cause this?

avadhoot
8 years ago

sorry something went wrong i wanted to to ask the question in this way:
HI Mkyong, can you please explain me <form name='f' action="” method=’POST’>
and why we declare method=post here because In controller class we declare
@requestmapping(value=”/login”,method=RequestMethod.GET) then what is the use of this ‘j_spring_security_check’ url.

Sdefdfsdf
5 years ago
Reply to  avadhoot

The whole program is showing one error Classs listener not found

Mallesh
8 years ago

i got this exception in annotation example do you know what is my mistake…? java.lang.IllegalStateException: No WebApplicationContext found: no ContextLoaderListener registered?

Prasad
8 years ago

Hi mkyong,

Nice tutorial. sir.. i download that code(” spring-security-login-form-database-xml “) i configured on my local mechain i am using Eclipse+tomcate7+maven + Database(Oracle 11c)+jave7 now i able to open the login page sir but i am using login page. when i try to login (mkyong/123456) but it was showing invalid usename and password. but i am inserted values on database as well. can u plz tell me sir.

Thanks & regards,
Prasad.

ambrish singh
7 years ago
Reply to  Prasad

manage to get the solution ?

Derbali Chaymae
8 years ago
Reply to  Prasad

same here! did u resolve the problem please ? (already tried to update my database password)

ambrish singh
7 years ago

did you get the solution for this, i tried 1 as enabled with oracle didn’t worked

amine
7 years ago

you need to run the sql file

Ondrej Tokár
8 years ago

Same here…

rahul
6 years ago

http status 403 – access is deniedtype status reportmessage access is denieddescription access to the specified resource has been forbidden.
error occurred after givening right email and password
any help highly acceptable

srinivas nangana
7 years ago

Hi Mkyong after pressing logout link It is logging out successfully but if press back button still allow us to access home page.

Ananda Bayu
8 years ago

hi Mkyong,
thank for the source code, its working for me but the other POST METHOD is not Allowed by SpringSecurityFilterChain like i want to add user the console said 405 method not allowed, all the POST METHOD has error 405 after i add spring security.

can you solved it?
Thanks.

Pramod Gaikwad
8 years ago

Hi MkYong, I am stuck at configuring spring security with Spring Boot.
Actually my problem is that i want to build secured application with my custom login form and user should authenticated after successful login. also i want to enable csrf protection for REST url’s. If you have already developed this then please guide me. Thank you for appreciating.

bhuvana
7 years ago

this code is not working can any one tell me what i need to do after importing

Samkova
7 years ago

Your code doesn’t work; I downloaded the project and also tried to copy/paste the code from this page, but the result was the same. I’d better look for another tutorial somewhere else.

Kumar Abhilash
7 years ago
Reply to  Samkova

Any solution?

invalid_user
7 years ago

Invalid username and password! all the time. Database is alright, done with the script provided, populated with the data provided. I’m using the annotation app.

Kumar Abhilash
7 years ago
Reply to  invalid_user

Have you found any solution?

carlos alberto cortez polanco
7 years ago

support ssl connect postgresql?

Ankit Lalan
7 years ago

For both the users, when I use http://localhost:8080/admin** it provides me access to Logout Link.

How can we differentiate on the basis of user’s right.

Mkyong and Alex both users have got the ability to view the page when its /admin** and also /logout can be accessed when we hit the url directly in the browser.

???? ?
7 years ago

For all those who faced 405 Post not allowed in this example – just add POST to request methods annotation of 403 mapping in controller.

Anusha Cheluvagopal
7 years ago

Hey, this tutorial worked perfectly for me except for the logout part. I even get redirected to the login page with the logout message but when I try to accessing the restricted URL (/admin in this case), I was still able to see the page. Shouldn’t the session be destroyed and the 403 page be displayed?

Yogesh Chavan
8 years ago

Hi MkYong , do we have same tutorial but with angularjs ? please suggest. thanks

amna jebali
7 years ago
Reply to  Yogesh Chavan

hi yogesh , me too i need the same tutorial with angulrajs?? can you help me??

Aakash
8 years ago

Can you please help to create database table structure with Oracle database as it does not have

TINYINT type datatype.

Hyd Balu
8 years ago

Hi Yong,
how to navigate to user page and Admin page though the login page itself. Not accessing the Admin page, then enter the credentials and the Admin page is displayed. How can we directly navigate from login page to the respective pages based on the role assigned in the database table.

NAVEEN YADAV
8 years ago

Hi,
How to provide url encoding spring mvc application
i need your help please.

NAVEEN YADAV
8 years ago

Hi,
how to provide http to https in spring mvc application

Xena
8 years ago

hi Mkyong, I tried all of your examples of Spring Security both in Windows and Linux server, except this one with MySql worked, this one works in Windows, but not in Linux. I saw someone else had the same problem but there were no reply. Would you please tell us something. Thank you for this post.

Xena
8 years ago
Reply to  Xena

Hello there. I found the solution, in Linux environment localhost should be written as 127.0.0.1. Thank you again for this post.

suma shetty
8 years ago

how to integrate user sessions with this, as per my requirement i have 4 different pages like Dashboard, Live data, Historic data and notifications page.

this is how spring-security has been configured

and loginController as shown below

@Controller
@SessionScoped
public class LoginController {
@RequestMapping(value = “/dashboard**”, method = RequestMethod.GET)
public ModelAndView dashboardPage() {
ModelAndView model = new ModelAndView();
model.setViewName(“dashboard”);
return model;
}
@RequestMapping(value = “/historical**”, method = RequestMethod.GET)
public ModelAndView livePage() {
ModelAndView model = new ModelAndView();
model.setViewName(“history”);
return model;
}
@RequestMapping(value = “/live**”, method = RequestMethod.GET)
public ModelAndView historyPage() {
ModelAndView model = new ModelAndView();
model.setViewName(“live”);
return model;
}
@RequestMapping(value = “/notifications**”, method = RequestMethod.GET)
public ModelAndView notificationsPage() {
ModelAndView model = new ModelAndView();
model.setViewName(“notifications”);
return model;
}
@RequestMapping(value = “/login”, method = RequestMethod.GET)
public ModelAndView login(@RequestParam(value = “error”, required = false) String error,
@RequestParam(value = “logout”, required = false) String logout) {
ModelAndView model = new ModelAndView();
if (error != null) {
model.addObject(“error”, “Invalid username and password!”);
}
if (logout != null) {
model.addObject(“msg”, “You’ve been logged out successfully.”);
}
model.setViewName(“login”);
return model;
}
//for 403 access denied page
@RequestMapping(value = “/403”, method = RequestMethod.GET)
public ModelAndView accesssDenied() {
ModelAndView model = new ModelAndView();
//check if user is login
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (!(auth instanceof AnonymousAuthenticationToken)) {
UserDetails userDetail = (UserDetails) auth.getPrincipal();
model.addObject(“username”, userDetail.getUsername());
}
model.setViewName(“403”);
return model;
}
}

So with this configuration, only first time on on deploying the app irrespection of the req i make appname/dashborad, appname/historical, appname/live, appname/notifications , it is rediecting to login page as i have mapped /login in rediect page, after that i can directly access other pages say once i login and logout 🙁

How to make it secured, i mean i dont want other pages to be accessed unless it is authenticated 🙁

Anon
8 years ago

Hi!
I think that in your first SecurityConfig.java you want to say AppConfig.

Good tut!
Thanks

eviltoad
8 years ago

Thank you, this tutorials of yours are always clear, simple to follow and very useful.

NaN
8 years ago

I like your examples!

TGal
8 years ago

Hey,
I got an exception (dataSource not found) I think in spring-security.xml you have to add import tag:

Rohit
3 years ago

It helped me. Thanks

I’ve used .hasRole(“USER”) instead of .access(“hasRole(‘ROLE_ADMIN’)”)

David Kham
4 years ago

hi Mkyong
please you can help me. I would like to use spring security with AES256. Is it possible and how to use?

msryhm
4 years ago

the best shit code