Spring Security hello world example

In this tutorial, we will show you how to integrate Spring Security with a Spring MVC web application to secure a URL access. After implementing Spring Security, to access the content of an “admin” page, users need to key in the correct “username” and “password”.

Technologies used :

  1. Spring 3.2.8.RELEASE
  2. Spring Security 3.2.3.RELEASE
  3. Eclipse 4.2
  4. JDK 1.6
  5. Maven 3
Note
Spring Security 3.0 requires Java 5.0 Runtime Environment or higher

1. Project Demo

2. Directory Structure

Review the final directory structure of this tutorial.

spring-security-helloworld-directory

3. Spring Security Dependencies

To use Spring security, you need spring-security-web and spring-security-config.

pom.xml
	<properties>
		<jdk.version>1.6</jdk.version>
		<spring.version>3.2.8.RELEASE</spring.version>
		<spring.security.version>3.2.3.RELEASE</spring.security.version>
		<jstl.version>1.2</jstl.version>
	</properties>
 
	<dependencies>
 
		<!-- Spring dependencies -->
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-core</artifactId>
			<version>${spring.version}</version>
		</dependency>
 
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-web</artifactId>
			<version>${spring.version}</version>
		</dependency>
 
		<dependency>
			<groupId>org.springframework</groupId>
			<artifactId>spring-webmvc</artifactId>
			<version>${spring.version}</version>
		</dependency>
 
		<!-- Spring Security -->
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-web</artifactId>
			<version>${spring.security.version}</version>
		</dependency>
 
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-config</artifactId>
			<version>${spring.security.version}</version>
		</dependency>
 
		<!-- jstl for jsp page -->
		<dependency>
			<groupId>jstl</groupId>
			<artifactId>jstl</artifactId>
			<version>${jstl.version}</version>
		</dependency>
 
	</dependencies>

4. Spring MVC Web Application

A simple controller :

  1. If URL = /welcome or / , return hello page.
  2. If URL = /admin , return admin page.

Later, we will show you how to use Spring Security to secure the “/admin” URL with a user login form.

HelloController.java
package com.mkyong.web.controller;
 
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
 
@Controller
public class HelloController {
 
	@RequestMapping(value = { "/", "/welcome**" }, method = RequestMethod.GET)
	public ModelAndView welcomePage() {
 
		ModelAndView model = new ModelAndView();
		model.addObject("title", "Spring Security Hello World");
		model.addObject("message", "This is welcome page!");
		model.setViewName("hello");
		return model;
 
	}
 
	@RequestMapping(value = "/admin**", method = RequestMethod.GET)
	public ModelAndView adminPage() {
 
		ModelAndView model = new ModelAndView();
		model.addObject("title", "Spring Security Hello World");
		model.addObject("message", "This is protected page!");
		model.setViewName("admin");
 
		return model;
 
	}
 
}

Two JSP pages.

hello.jsp
<%@page session="false"%>
<html>
<body>
	<h1>Title : ${title}</h1>	
	<h1>Message : ${message}</h1>	
</body>
</html>
admin.jsp
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page session="true"%>
<html>
<body>
	<h1>Title : ${title}</h1>
	<h1>Message : ${message}</h1>
 
	<c:if test="${pageContext.request.userPrincipal.name != null}">
	   <h2>Welcome : ${pageContext.request.userPrincipal.name} 
           | <a href="<c:url value="/j_spring_security_logout" />" > Logout</a></h2>  
	</c:if>
</body>
</html>
mvc-dispatcher-servlet.xml
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.0.xsd">
 
	<context:component-scan base-package="com.mkyong.*" />
 
	<bean
	  class="org.springframework.web.servlet.view.InternalResourceViewResolver">
	  <property name="prefix">
		<value>/WEB-INF/pages/</value>
	  </property>
	  <property name="suffix">
		<value>.jsp</value>
	  </property>
	</bean>
 
</beans>

5. Spring Security : User Authentication

Create a Spring Security XML file.

spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
	http://www.springframework.org/schema/security
	http://www.springframework.org/schema/security/spring-security-3.2.xsd">
 
	<http auto-config="true">
		<intercept-url pattern="/admin**" access="ROLE_USER" />
	</http>
 
	<authentication-manager>
	  <authentication-provider>
	    <user-service>
		<user name="mkyong" password="123456" authorities="ROLE_USER" />
	    </user-service>
	  </authentication-provider>
	</authentication-manager>
 
</beans:beans>

It tells, only user “mkyong” is allowed to access the /admin URL.

6. Integrate Spring Security

To integrate Spring security with a Spring MVC web application, just declares DelegatingFilterProxy as a servlet filter to intercept any incoming request.

web.xml
<web-app id="WebApp_ID" version="2.4"
	xmlns="http://java.sun.com/xml/ns/j2ee" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
	http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
 
	<display-name>Spring MVC Application</display-name>
 
	<!-- Spring MVC -->
	<servlet>
		<servlet-name>mvc-dispatcher</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet
		</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>mvc-dispatcher</servlet-name>
		<url-pattern>/</url-pattern>
	</servlet-mapping>
 
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener
		</listener-class>
	</listener>
 
        <!-- Loads Spring Security config file -->
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/spring-security.xml
		</param-value>
	</context-param>
 
	<!-- Spring Security -->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy
		</filter-class>
	</filter>
 
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
 
</web-app>

7. Demo

That’s all, but wait… where’s the login form? No worry, if you do not define any custom login form, Spring will create a simple login form automatically.

Custom Login Form
Read this “Spring Security form login example” to understand how to create a custom login form in Spring Security.

1. Welcome Page – http://localhost:8080/spring-security-helloworld-xml/welcome

spring-security-helloworld-welcome

2. Try to access /admin page, Spring Security will intercept the request and redirect to /spring_security_login, and a predefined login form is displayed.

spring-security-helloworld-login

3. If username and password is incorrect, error messages will be displayed, and Spring will redirect to this URL /spring_security_login?login_error.

spring-security-helloworld-login-error

4. If username and password are correct, Spring will redirect the request to the original requested URL and display the page.

spring-security-helloworld-admin

Download Source Code

Download it – spring-security-helloworld-xml.zip (9 KB)

References

  1. Spring Security Official Site
  2. Spring 3 MVC hello world example
  3. Spring Security form login example (authentication)
Tags :

About the Author

mkyong
Founder of Mkyong.com and HostingCompass.com, love Java and open source stuff. Follow him on Twitter, or befriend him on Facebook or Google Plus. If you like my tutorials, consider make a donation to these charities.

Comments

  • Pingback: water purification systems()

  • Pingback: water ionizers()

  • Pingback: streaming movies()

  • Pingback: tv online, online tv()

  • Pingback: watch free movies online()

  • Pingback: watch movies online free()

  • Pingback: Blue Coaster33()

  • Marten

    Your configuration is flawed, you are duplicating bean instances. Both the ContextLoaderListener and DispatcherServlet load the ‘/WEB-INF/mvc-dispatcher-servlet.xml’ configuration. Which basically leads to scanning the classpath twice, 2 InternalViewResolvers etc.

    In this case it doesn’t lead to problems but for larger projects it will lead to problems.

    • Amar

      Hi Martin,

      Can you explain a bit more on the issue, you mentioned above ? and what is the solution for that ?

  • http://www.selvabioinfo.co.nr/ Selvaraj

    Hello mkyong,

    WARNING: No mapping found for HTTP request with URI [/SpringMVC/welcome] in DispatcherServlet with name ‘mvc-dispatcher’

    After given correct credentials i am getting 4040 error and the above warning in console window. I am not able to see the hello.jsp page.

    Please help me in this.

    • Chandan Singh

      hey could you share your controller code please. I suspect you might not have mapped /welcome.

  • http://NA Vicky

    Some issues while execution:

    – url http://localhost:8080/SpringMVC/welcome doesn’t automatically redirect to /welcome after authentication. It becomes http://localhost:8080/SpringSecuritySetup/;jsessionid=D8669208493AFDE7D9E113FEDCB554CF where I need to insert /welcome manually, then it shows next page!!! Why so?

    – Since this project is using old jars, I updated to 3.2.3 and spring-security jars to 3.1 Then it didn’t work. Login page came but authentication never succeed even after providing correct credentials. You can see the complete post here:
    http://www.coderanch.com/t/618591/Spring/Spring-security-sample-working

    Waiting for the reply. Thanks.

    • http://NA Vicky

      Please ignore the context root ‘SpringSecuritySetup’ as I renamed the project.

  • http://[email protected] abdou

    WARNING: No mapping found for HTTP request with URI [/SpringMVC/j_spring_security_logout] in DispatcherServlet with name ‘mvc-dispatcher’

  • Oleg

    You forget add mvc:annotation-driven tag into mvc-dispatcher-servlet.xml file

  • http://www.lindenchamber.net/userinfo.php?uid=103138 Maddison

    Some organic health products have been known to boost the
    immune system. Of course, if you have tried those, but nothing helps you can always go
    for a psychotherapy or counselling. The most important groups of phytochemicals found in oats are: phenolics, carotenoids, vitamin E compounds,
    and lignans.

  • NatDickenstein

    I did exactly as given in tutorial.but am getting following error.
    SEVERE: Context initialization failed
    org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘org.springframework.security.filterChainProxy': 1 constructor arguments specified but no matching constructor found in bean ‘org.springframework.security.filterChainProxy’ (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)

    • Chandan

      hey Nat

      please check your web.xml i think you have given the wrong class.

      what i think you have given

      springSecurityFilterChain

      org.springframework.web.filter.FilterChainProxy

      what should be there

      springSecurityFilterChain

      org.springframework.web.filter.DelegatingFilterProxy

  • Eastwood

    Great, thanks~~~~~

  • Venugopal

    Hello Mykong…

    Your tutorials are awesome….and gives easy start….i personally benifitted from first visiting your site to understand first here, and then study in-depth afterwards.

    Thanks lot for all your efforts…

  • Pingback: GAE?SpringMVC???????3(Spring Security ??????) | Walk on apps.()

  • Pingback: GAE?SpringMVC???????3(Spring Security ??????) | Walk on apps.()

  • Sanjeev Rai

    Hi, I am very new to Spring MVC. Please can you provide the good sample example about Spring Web flow with Controllers.

    Thanks is Advance.

  • deibid

    i cant run it im having this error

    WARNING: No mapping found for HTTP request with URI [/Spring3MVC] in DispatcherServlet with name ‘mvc-dispatcher’

    i would appreciate your help

    thanks

    • Sagar R. Kapadia

      The following annotation in the source code says that you need to type /welcome after the base url in the browser
      @RequestMapping(“/welcome”)

      So type
      http://localhost:8080/SpringMVC/welcome

      • deibid

        thanks for your answer. Ive tried that but Im still having the same problem:

        HTTP Status 404 –

        type Status report

        message

        descriptionThe requested resource () is not available.

        GlassFish Server Open Source Edition 3.1.2.2

        • Diego

          I got the same error. It’s likely that hello.jsp page is not under WEB-INF/pages/hello,jsp

          hope it helps.

          • suresh

            i am also got same exception But i am using hello.jsp under WEB/INF/pages
            then also same 404 execption

            Thanks

          • Rakesh Yadav

            Hi, once again please check the log messages on console.
            I hope this is not the main error/exception you are getting.
            I’m assuming that you need to get ClassNotfoundException,
            and as a result you are getting this 404 status code.

            I hope its the problem of not placing the correct jar files;

            Please check whether you are using the correct jar files
            or not.

            hope it helps you.

  • Gadhu

    Hi Youg,

    I have one doubt regarding this post. I imported this project into my workspace, and i executed it.
    Only for the first time it went through the authentication process, from second time onwards without authentication it was showing my hello.jsp.What is happening exactly?
    can u please clear my doubt. thank you

    • kuldeep

      After first time authentication, the credential were saved in your browser’s cookie. If you clear the cookie, the application will ask for authentication again.

  • Surender Reddy Vanga

    Its like Spoon feeding … Excellent

  • anil

    Thanks mkyong.

    very nice and neat tutorial.
    Easy to understand and execute.

  • http://www.ort.edu.uy Marcello

    Hi,

    I have a simple question. What’s happend if in my application require to hide user and password for been viewed in the request. It’s there is such a configuration in spring to enable https ?

    Thanks,
    Marcello.

  • http://emrpms.blogspot.in/ Senthil Muthiah

    Hi mkyong

    Thank you Very much. Based on your tutorial, i created the same one with details steps
    in my blog. Here is the url
    http://emrpms.blogspot.in/2012/11/spring-security-hello-world-example.html

  • http://www.technicaltoday.com Navin Bansal

    nice and easy to understand…thanx for post

  • Dundar

    Hi yong…

    My English so bad… So, I am sorry…

    I have a problem…

    I import the project to eclipse… But I take error (about “kind4″) So, I exist the similar maven project on eclipse (eclipse juno)… I run it on server(Apache Tomcat) I take error (the following)…

    No mapping found for HTTP request with URI [/com.mkyong.common_SpringMVC_war_1.0-SNAPSHOT/] in DispatcherServlet with name ‘mvc-dispatcher’

  • Adrien

    You want to add “s” to the verbs you conjugate at the 3rd person.

    In your first sentence: Spring Security allowS developer to integrate security features with J2EE web application easily, it highjackS incoming HTTP request via servlet filters, and implementS “user defined” security checking.

    That’s 3 you forgot in one sentence. I’ve seen that on many tutorials and thought I’d let you know :)

    Thanks for the tutorials and keep up the good work :)

    • http://www.mkyong.com mkyong

      Thanks Adrien, for the grammar correction :)

  • http://www.wramdemark.se Per Wramdemark

    Hi,
    You shouldn’t add /WEB-INF/mvc-dispatcher-servlet.xml to the config for the ContextLoaderListener. It would potential lead to beans getting initialized twice since the same beans will also be initialized from the DispatcherServlet.

  • Pingback: Spring Security HTTP basic authentication example()

  • John

    The best tutorial on a given topic.
    Thank you !!!

  • Raheel

    Thanks for this tutorial
    Can you give us examples of using annotations in spring security i.e. @secured @preauthorize etc

  • yasser

    if you add the / at the end of the url… i.e “http://localhost:8080/SpringMVC/welcome/” …. I don’t get the login form instead it shows the hell.jsp which is protected resource.

    • vijay

      I am also facing same problem

  • Bharatkumar Patel

    Thanks !!! Very nice and easily understandable tutorial. Thanks !!!

  • skaj_vikler

    I got following exception
    SEVERE: Exception starting filter springSecurityFilterChain
    org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named ‘springSecurityFilterChain’ is defined

  • vijayakumar

    Hi Yonng, it was great article, very simple and stright forward. i am able to run the application sucessfully. but i am having one doubt? when you type the following url

    http://localhost:8090/SecurityExample/welcome

    i am getting the page with username and password fields. i just wanted to know how this thing happend. we have not mentioned those things anyware in application. can u please clear my doubt if it is very basic also. thank you

    • Rippon

      Vijay,

      If you dont define a custom login page,spring security will create one dynamically for you.

      Regards,
      Rippon

  • Sagar R. Kapadia

    Hi Mkyong! Thanks for the superb article. One article I saw elsewhere said it would take days to figure out and use spring security in my own applications. I am very grateful to you

  • http://www.snail.com snail

    thanks a lot

    and , if ssh2(struts2 spring3 hibernate3) project add spring security 3,some one will feel better ^!^ cause by I use ssh2 in project and learning…

  • Isaac

    Hi, thanks for your effort because this is a great post, for me appears an error:

    No mapping found for HTTP request with URI [/com.mkyong.common_SpringMVC_war_1.0-SNAPSHOT] in DispatcherServlet with name ‘mvc-dispatcher’

    I have checked the web.xml and it´s exactly as in your example. Then ¿why it doesn´t works for me?

    Thanks in advance

    • http://www.mkyong.com mkyong

      Is Spring bean declared in “mvc-dispatcher-serlvet.xml” ?

    • http://[email protected] [email protected]

      You can add thw welcome property in web.xml :

      /WEB-INF/pages/login.jsp
      /WEB-INF/pages/login.html

      this will load the right jsp
      good luck

    • http://www.jemos.co.uk Marco Tedone

      The examples are missing a @Controller annotation on the HelloController class. Add the annotation and everything should work fine.

  • Pingback: » Spring Security hello world example ??? ?? ???()

  • Somasekhar Reddy

    Hi Mkyong,

    Thanks for the great and simple applications.
    It would be more better, if you provide jar files too, along with source code.

    Regards
    Sekhar

    • http://www.mkyong.com mkyong

      Almost all tutorial are Maven project. During compile or build phase, it will get all project dependencies automatically.

  • Jarode

    Hello Professor,

    I’ve been working in an application using Stuts2 as a dispatcher, when I arrived to fix the security I heard about Spring Security, I’ve tried your tutorials and they was very interesting.

    I’m now in a bad situation, cause all the tutorials are using spring as dispatcher and there is no sample using Struts2.
    could you please advice me ?
    Thanks you very much for you great work

    Kind Regards

  • Pingback: Spring Security Tutorials()

  • Pingback: Spring Security access control example()

  • Pingback: ClassNotFoundException : DefaultSavedRequest()

  • http://www.j2eevideotutorial.com/search/label/Spring%20Security?&max-results=21 habou

    Thank you very much my Professor

    Can you add the database connection configuration with Spring Security !!!??

    • http://www.mkyong.com mkyong
      • http://www.j2eevideotutorial.com/search/label/Spring%20Security?&max-results=21 habou

        Thank you very much .

        My new question : if i want to use Spring applicationContext with Hibernate Template .. how can i do it ??

        • http://www.mkyong.com mkyong

          Please refer to this Spring tutorials, hibernate section.

          • http://www.j2eevideotutorial.com/search/label/Spring%20Security?&max-results=21 habou

            You didnt understand me

            i meant how to use all of them with spring security ( HibernateTimplate , Application Context )

          • http://www.mkyong.com mkyong

            No different, just a normal spring + hibernate integration, please refer to the Spring tutorial above.

  • http://www.learncomputer.com Michael

    Very nice, clean Spring Security tutorial. Much of the stuff out there is just too hard to follow. This one isn’t. Thanks!

  • Pingback: Spring Security form login example()