Configure Spring Security using WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer

In the introduction to Spring Security, we used a configuration file and declared it with the DelegatingFilterProxy filter class to enable Spring Security for any web application. We can also do this using Java code with the WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer classes, powered by Spring Security. How is it in detail? We will learn about it in this tutorial!

First, I will create a Spring MVC project using the WebApplicationInitializer and WebMvcConfigurer interfaces as an example:

Configure Spring Security using WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer

with the AppInitializer.java, SpringConfiguration.java and index.jsp files with the following content:

AppInitializer.java:

SpringConfiguration.java:

index.jsp:

Now run the application, you will see the following results:

Configure Spring Security using WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer

To work with Spring Security, you need to declare the spring-security-web and spring-security-config dependencies as follows:

with:

We will use the WebSecurityConfigurerAdapter class to configure the authentication and authorization of Spring Security.

The WebSecurityConfigurerAdapter class is an abstract class that implements the WebSecurityConfigurer interface that defines the default configuration needed for Spring Security. We need to use this class with the @EnableWebSecurity annotation to enable security support for our web application.

Now, I will create a new SpringSecurityConfiguration class, annotated with the @EnableWebSecurity annotation with the following content:

The WebSecurityConfigurerAdapter class has overloaded configure() methods with different parameters: AuthenticationManagerBuilder to configure authentication, HttpSecurity for authorization, and WebSecurity to disable access to application resources.

For authentication, the AuthenticationManagerBuilder class is used to create new AuthenticationManager, managing application login user information. This class allows us to use users which are stored in-memory, in database or LDAP. For simplicity, I will use the user in-memory as follows:

If you want to define more users, you can use the and() method following the above code, for example:

For authorization, the HttpSecurity class is used to define which requests are accessed by the user with which role. For example:

Similar to the definition of user information, you can also add more definitions for the authorization as follows:

The disable request to the resource of the application, you can disable the request to the resources directory as follows:

After configuring authentication and authorization, we will register the DelegatingFilterProxy class with the Java web server through the Spring container. We will use class AbstractSecurityWebApplicationInitializer to do this.

You just need to create a new class extending class AbstractSecurityWebApplicationInitializer:

Spring will automatically detect the instance of this class during application launch to register DelegatingFilterProxy class to use springSecurityFilterChain before any Java web server Filter classes.

OK, now if you run the application, you will see the following result:

Configure Spring Security using WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer

Our application has Spring Security enabled.

To enable Spring Security’s default login form, you need to add a piece of code to the configure(HttpSecurity http) method of the extend class WebSecurityConfigurerAdapter class as follows:

Now run the application and request to it, you will see the default login form of Spring Security as follows:

Configure Spring Security using WebSecurityConfigurerAdapter and AbstractSecurityWebApplicationInitializer

Log in with the user information declared in the configure(AuthenticationManagerBuilder auth) method, you will see the index page of our application.

Chia sẽ bài viết này ...Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin

Add Comment