Introduction about Spring Security

When working with applications that need security, it is imperative that you have to know 2 concepts of authentication and authorization. In other words, authentication related to who can use the application and authorization is related to which resources, which parts of the application you are allowed to use. For web applications that use Spring framework, you can use Spring Security to implement these two concepts. How is it in details? We will begin to learn about Spring Security in this tutorial!

First, I will create a Spring MVC application as an example:

Introduction about Spring Security

To work with Spring Security, you need to declare spring-security-web and spring-security-config dependencies as follows:


Now when you run the application, you’ll see the following result:

Introduction about Spring Security

As an example for the authentication part with Spring Security, I will add code to force users, want to see the above page, they must login using the username and password.

But first, I need to tell you: we have two ways to implement Spring Security, one is to use the configuration file and the second is to use the Java annotation that Spring Security supports.

Ok, come back to our example, I will use the configuration file to implement Spring Security. To do this, please create a Spring Security configuration file named security.xml located in src/main/webapp/WEB-INF/spring directory. This file will define the necessary beans for Spring Security in Spring container. The content of this file is as follows:

Declaring <http> is an important declaration, Spring will create necessary beans for Spring Security based on the declaration of this tag! Here, because we only need to enable the authentication function of Spring Security for our application, you only need to declare it like that!

The <user-service> declaration allows us to create in-memory new user, is used to authenticate into our application. We can declare user information using a .properties file or use the <user> tag as in our example to create in-memory users. Of course, we can also declare to get user information from other sources such as a database. For simplicity, I used in-memory user to introduce to you in this tutorial.

In the user information declaration, as you can see, we will also need to declare the role of the user using the “authorities” attribute, this is used for authorization. The password part, actually the password I declare is only “123456” only, the word “{noop}” has another meaning related to the encoder password, I will mention more clearly in the incoming tutorial!

So we have the basic configuration file required by a Spring Security application. We need to declare this configuration file with the web servlet in the application’s web.xml file.

Please open the web.xml file and add the following lines:

The <context-param> declaration section with information about security.xml is used to add the beans defined in this file to our servlet.

Here, we can also declare <filter>, the purpose of this declaration is to make an interceptor for user requests to our application. Only requests that pass the interceptor, can access the application. You can learn more about the <filter> tag in web.xml file to understand more! The org.springframework.web.filter.DelegatingFilterProxy class of Spring Security will be the class handle the requests to make sure that they meet the conditions that we define in the security.xml file.

Now, if you run the application again, you will see our application will now redirect to a login page, where we must log in as follows:

Introduction about Spring Security

This is Spring Security’s default page! Enter the information we have declared in security.xml file, then click “Sign in”, you will access to our application.

So that’s all for the authentication section!

To enable authorization function, you need to modify the file security.xml to add some other configuration as follows:

Here, I added another user “thanh” with the role of ROLE_GUEST and I modified the <http> tag to add an intercept-url for the request to the address “http://localhost:8080/” is for users with role ROLE_USER only. This means that only the user with the role ROLE_USER will have access to the address “http://localhost:8080/”.

If now, you run the application again and log in with the “thanh” user with the information as mentioned above, you will see the following result:

Introduction about Spring Security

As you can see, although the “thanh” user has access to our application but for the resource with the “/” path, this user has no access.

Try again with the “khanh” user, you will see accessing to the “http://localhost:8080/” page is normal for this user.

Add Comment