Spring Security hello world example

In this tutorial, we will show you how to integrate Spring Security with a Spring MVC web application to secure a URL access. After implementing Spring Security, to access the content of an “admin” page, users need to key in the correct “username” and “password”.

Technologies used :

  1. Spring 3.2.8.RELEASE
  2. Spring Security 3.2.3.RELEASE
  3. Eclipse 4.2
  4. JDK 1.6
  5. Maven 3
Note
Spring Security 3.0 requires Java 5.0 Runtime Environment or higher

1. Project Demo

2. Directory Structure

Review the final directory structure of this tutorial.

spring-security-helloworld-directory

3. Spring Security Dependencies

To use Spring security, you need spring-security-web and spring-security-config.

pom.xml

	<properties>
		<jdk.version>1.6</jdk.version>
		<spring.version>3.2.8.RELEASE</spring.version>
		<spring.security.version>3.2.3.RELEASE</spring.security.version>
		<jstl.version>1.2</jstl.version>
	</properties>

	<dependencies>

		<!-- Spring dependencies -->
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-core</artifactId>
			<version>${spring.version}</version>
		</dependency>

		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-web</artifactId>
			<version>${spring.version}</version>
		</dependency>

		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-webmvc</artifactId>
			<version>${spring.version}</version>
		</dependency>

		<!-- Spring Security -->
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
			<version>${spring.security.version}</version>
		</dependency>

		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
			<version>${spring.security.version}</version>
		</dependency>

		<!-- jstl for jsp page -->
		<dependency>
			<groupId>jstl</groupId>
			<artifactId>jstl</artifactId>
			<version>${jstl.version}</version>
		</dependency>

	</dependencies>

4. Spring MVC Web Application

A simple controller :

  1. If URL = /welcome or / , return hello page.
  2. If URL = /admin , return admin page.

Later, we will show you how to use Spring Security to secure the “/admin” URL with a user login form.

HelloController.java

package com.mkyong.web.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController {

	@RequestMapping(value = { "/", "/welcome**" }, method = RequestMethod.GET)
	public ModelAndView welcomePage() {

		ModelAndView model = new ModelAndView();
		model.addObject("title", "Spring Security Hello World");
		model.addObject("message", "This is welcome page!");
		model.setViewName("hello");
		return model;

	}

	@RequestMapping(value = "/admin**", method = RequestMethod.GET)
	public ModelAndView adminPage() {

		ModelAndView model = new ModelAndView();
		model.addObject("title", "Spring Security Hello World");
		model.addObject("message", "This is protected page!");
		model.setViewName("admin");

		return model;

	}

}

Two JSP pages.

hello.jsp

<%@page session="false"%>
<html>
<body>
	<h1>Title : ${title}</h1>	
	<h1>Message : ${message}</h1>	
</body>
</html>
admin.jsp

<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>
<html>
<body>
	<h1>Title : ${title}</h1>
	<h1>Message : ${message}</h1>

	<c:if test="${pageContext.request.userPrincipal.name != null}">
	   <h2>Welcome : ${pageContext.request.userPrincipal.name} 
           | <a href="<c:url value="/j_spring_security_logout" />" > Logout</a></h2>  
	</c:if>
</body>
</html>
mvc-dispatcher-servlet.xml

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.0.xsd">

	<context:component-scan base-package="com.mkyong.*" />

	<bean
	  class="org.springframework.web.servlet.view.InternalResourceViewResolver">
	  <property name="prefix">
		<value>/WEB-INF/pages/</value>
	  </property>
	  <property name="suffix">
		<value>.jsp</value>
	  </property>
	</bean>

</beans>

5. Spring Security : User Authentication

Create a Spring Security XML file.

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
	http://www.springframework.org/schema/security
	http://www.springframework.org/schema/security/spring-security-3.2.xsd">

	<http auto-config="true">
		<intercept-url pattern="/admin**" access="ROLE_USER" />
	</http>

	<authentication-manager>
	  <authentication-provider>
	    <user-service>
		<user name="mkyong" password="123456" authorities="ROLE_USER" />
	    </user-service>
	  </authentication-provider>
	</authentication-manager>

</beans:beans>

It tells, only user “mkyong” is allowed to access the /admin URL.

6. Integrate Spring Security

To integrate Spring security with a Spring MVC web application, just declares DelegatingFilterProxy as a servlet filter to intercept any incoming request.

web.xml

<web-app id="WebApp_ID" version="2.4"
	xmlns="http://java.sun.com/xml/ns/j2ee" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
	http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

	<display-name>Spring MVC Application</display-name>

	<!-- Spring MVC -->
	<servlet>
		<servlet-name>mvc-dispatcher</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet
		</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>mvc-dispatcher</servlet-name>
		<url-pattern>/</url-pattern>
	</servlet-mapping>

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener
		</listener-class>
	</listener>

        <!-- Loads Spring Security config file -->
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/spring-security.xml
		</param-value>
	</context-param>

	<!-- Spring Security -->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy
		</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

</web-app>

7. Demo

That’s all, but wait… where’s the login form? No worry, if you do not define any custom login form, Spring will create a simple login form automatically.

Custom Login Form
Read this “Spring Security form login example” to understand how to create a custom login form in Spring Security.

1. Welcome Page – http://localhost:8080/spring-security-helloworld-xml/welcome

spring-security-helloworld-welcome

2. Try to access /admin page, Spring Security will intercept the request and redirect to /spring_security_login, and a predefined login form is displayed.

spring-security-helloworld-login

3. If username and password is incorrect, error messages will be displayed, and Spring will redirect to this URL /spring_security_login?login_error.

spring-security-helloworld-login-error

4. If username and password are correct, Spring will redirect the request to the original requested URL and display the page.

spring-security-helloworld-admin

Download Source Code

Download it – spring-security-helloworld-xml.zip (9 KB)

References

  1. Spring Security Official Site
  2. Spring 3 MVC hello world example
  3. Spring Security form login example (authentication)

About the Author

author image
mkyong
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter, or befriend him on Facebook or Google Plus. If you like my tutorials, consider make a donation to these charities.

Comments

Leave a Reply

avatar
newest oldest most voted
madhavi
Guest
madhavi

This is very confusing , i can’t run the application , Couldn’t able to identify the where is the problem also.
Can anyone help me how exactly you created the code for this?

bhusahn
Guest
bhusahn

same here

Surendra
Guest
Surendra

its simple create one extra xml and add security code in it, then write in web.xml and it will work as run the project.

abdul hafiz
Guest
abdul hafiz
Marten
Guest
Marten

Your configuration is flawed, you are duplicating bean instances. Both the ContextLoaderListener and DispatcherServlet load the ‘/WEB-INF/mvc-dispatcher-servlet.xml’ configuration. Which basically leads to scanning the classpath twice, 2 InternalViewResolvers etc.

In this case it doesn’t lead to problems but for larger projects it will lead to problems.

Amar
Guest
Amar

Hi Martin,

Can you explain a bit more on the issue, you mentioned above ? and what is the solution for that ?

mkyong
Guest
mkyong

Thanks, article is updated.

?????? ????
Guest
?????? ????
Hello. First of all I have to say thank you for yours great tutorials and complete explanations for them. Most of my recent experience with modern JAVA technologies and frameworks received from this blog. But now I got a trouble trying to use Spring Security with Spring MVC aplication. The issue is with new versions of Spring/Spring Security. I am using Spring framework version 4.1.6.RELEASE and trying to add Security version 4.1.0.RC1. And they are conflicting wtih each other, It says that no servlet alowed together in conjunction with org.springframework.web.context.ContextLoaderListener. Your tutorial works fine, but it is with versions 3.2.8… Read more »
Vicky
Guest
Vicky

Some issues while execution:

– url http://localhost:8080/SpringMVC/welcome doesn’t automatically redirect to /welcome after authentication. It becomes http://localhost:8080/SpringSecuritySetup/;jsessionid=D8669208493AFDE7D9E113FEDCB554CF where I need to insert /welcome manually, then it shows next page!!! Why so?

– Since this project is using old jars, I updated to 3.2.3 and spring-security jars to 3.1 Then it didn’t work. Login page came but authentication never succeed even after providing correct credentials. You can see the complete post here:
http://www.coderanch.com/t/618591/Spring/Spring-security-sample-working

Waiting for the reply. Thanks.

Vicky
Guest
Vicky

Please ignore the context root ‘SpringSecuritySetup’ as I renamed the project.

Raheel
Guest
Raheel

Thanks for this tutorial
Can you give us examples of using annotations in spring security i.e. @secured @preauthorize etc

yasser
Guest
yasser

if you add the / at the end of the url… i.e “http://localhost:8080/SpringMVC/welcome/” …. I don’t get the login form instead it shows the hell.jsp which is protected resource.

vijay
Guest
vijay

I am also facing same problem

Surendra
Guest
Surendra

I am getting 403 error on login button submit.
It is also not showing bad credential or anything, direct error on login button press.
Am using spring security 4.1.0.
Any help will be great :)

Hamid
Guest
Hamid

Hi mkyong,
Thank you for posting a beautiful tutorial, I have checked this example using
spring version 5.0.2 and spring security version 5.0.0,it is working but when i am giving correct user credentials then it is not displaying admin.jsp page and giving this error but why?
can you tell me please?
java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id “null”
org.springframework.security.crypto.password.DelegatingPasswordEncoder$UnmappedIdPasswordEncoder.matches(DelegatingPasswordEncoder.java:236)
org.springframework.security.crypto.password.DelegatingPasswordEncoder.matches(DelegatingPasswordEncoder.java:196)
org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:86)
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:166)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:124)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)

kim
Guest
kim

https://stackoverflow.com/questions/46999940/spring-boot-passwordencoder-error

Here in above case you have to make change in spring-security.xml

Nanda Thota
Guest
Nanda Thota
Vamshi Krishna
Guest
Vamshi Krishna

Hi mkyong,
Thanks for the tutorial.

Mircea Hmg
Guest
Mircea Hmg
Hi mkyong, congratulations for the site, i find it very useful. One suggestion, if you add maven jetty plugin config to pom.xml, people can just download the project sources and directly start the app with mvn package jetty:run just add this to pom.xml org.mortbay.jetty jetty-maven-plugin 8.1.8.v20121106 10 <!–demo–> 8080 60000
Cássia Novello
Guest
Cássia Novello

Very useful. Thanks for posting.
I replaced

Welcome : ${pageContext.request.userPrincipal.name}
| <a href="” > Logout

by

Nicholas Kurien
Guest
Nicholas Kurien

I’m getting this error, any ideas ANYONE?

org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: spring-security-web classes are not available. You need these to use
Offending resource: ServletContext resource [/WEB-INF/spring-security.xml]

MachaAppreciator
Guest
MachaAppreciator

Macha, full power banaya hain!

Beer pee liyo meri aur se ek-ek. Too good macha, Too-freaking-Good!

Chal, mil phir kabhi toh!

James
Guest
James

better explain the stuff

rafeeq
Guest
rafeeq

For basic token based authentication the below worked for me based on Spring Security 3.1

rafeeq
Guest
rafeeq

For a basic token based authentication use the below, This is based on Spring 3.1

fsl4faisal
Guest
fsl4faisal

Thank you mkyong..!!

Adriano Moreira
Guest
Adriano Moreira

whats name the folder with files xml ?
Webapp –> WEB – INF ?

simion
Guest
simion

Hi mkyong,

I used your tutorial for spring security. It is quite nice and simple explained. The only thing is that you have an error with which i couldn’t manage for couple of hours.

in mvc-dispatcher-servlet.xml you have , but it should be

Otherwise you get errors on handler not found.

Maybe it will be a good idea to fix this to not make someone else to spent so much time for a such small thing.

radek
Guest
radek

What was the error, I’m struggling against it apparently?
cheers

Ottoniel Domínguez G
Guest
Ottoniel Domínguez G

Hi mkyong, my question is: Why the name for Spring Security XML file (spring-security.xml) can be changed, I mean I’m using security.xml and the example works fine.

Pramod Gaikwad
Guest
Pramod Gaikwad

Hi MkYong, I am stuck at configuring spring security with Spring Boot.

Actually my problem is that i want to build secured application with my custom login form and user should authenticated after successful login. also i want to enable csrf protection for REST url’s. If you have already developed this then please guide me. Thank you for appreciating.

A.Talan
Guest
A.Talan

You should use in spring-security.xml

Soumik Banerjee
Guest
Soumik Banerjee

I am integrating this with JSF and spring MVC. I am getting the login page and upon successful login I can click on different flows. However, when I am submitting some data though commandbutton, the ajax method is not getting invoked. Same is happening when I use the code provided in spring security reference doc for programmatic config. Any idea?

Huy Pearl
Guest
Huy Pearl

Failed to evaluate expression ‘ROLE_USER’

fredy hernan sanchez montaña
Guest
fredy hernan sanchez montaña

I have the same problem.
I’m using spring-security 4.0.0

Cody Dunlap
Guest
Cody Dunlap

I’m having the same issue with spring-security 4.0.1 as well.

oliver_a_partner
Guest
oliver_a_partner

Change this line in spring-security.xml

by

hope this helps ^^

Blesson Jose
Guest
Blesson Jose

Try this in place of ROLE_USER in intercept-url tag:

hasRole(‘ROLE_USER’)

Ravi Kant
Guest
Ravi Kant

can any1 exaplin step by step structure,. i am still confused u r creating dynamic web project or maven project.. so pls explain. every steps only

Evgen
Guest
Evgen

Tell me please where your loginPage.jsp???

Victor
Guest
Victor

if you do not define any custom login form, Spring will create a simple login form automatically.

Evgen
Guest
Evgen

Thank you. Tell me please how spring know how build this page(how spring know css and html)?

tjjedno
Guest
tjjedno

it’s preprogrammed

David
Guest
David

hi,when download the source code,it give No bean named ‘springSecurityFilterChain’ is defined ,can you help me

Rahul Bansal
Guest
Rahul Bansal

Thanks mkyong for this. This post helped me a lot in getting quickly started with spring security.

Marcel
Guest
Marcel

I do want to integrate a css file. But i got an error in this case like mentioned from abdou a year ago…

Warnung: No mapping found for HTTP request with URI [/SpringSecurityHelloWorld/css/default.css] in DispatcherServlet with name ‘mvc-dispatcher’

rajgopal B.H
Guest
rajgopal B.H
Am i downloading the XML version or annotated version ? i am seeing the following code in controller @RequestMapping(value = { “/”, “/welcome**” }, method = RequestMethod.GET) .and in dispatcher-servlet.xml Please allow me to download xml version also . Also there is no annotated version for Handling duplicate form submission . Thank you
Sandeep
Guest
Sandeep

When I m entering the url http://localhost:8080/spring-security-helloworld-xml/welcome its giving resource not found. Please help on this