Tools and Technologies used in this article :

  1. Spring Framework 3.1.4

  2. Spring Security 3.1.4

  3. Spring Tool Suite 3.2

  4. JDK 1.6

  5. Tomcat 7

Note : Spring 3 requires at least JDK 5. So, make sure you have JDK 5 or above.


1. Initial Spring 3 MVC Web Application

We'll start with creating (Refer Spring 3 MVC Framework Based Hello World Web Application Example) a simple Spring 3 MVC project (say SpringSecurityHelloWorld). There will be two pages (say public.jsp and mypage.jsp), one controller (SpringSecurityHelloController) with two handler methods and Spring Configuration File (dispatcher-servlet.xml).

File : WEB-INF/pages/public.jsp
File : WEB-INF/pages/secured/mypage.jsp
File : com/srccodes/spring/controller/
File : WEB-INF/dispatcher-servlet.xml

Find below the screenshot of the project structure of our initial Spring 3 MVC Web Application

Initial Spring 3 MVC Web Application Project Structure

So far there is no security and anybody can access both public and secured pages without login. We'll integrate Spring Security with our initial web application so that page 'public.jsp' remains publicly accessible but to access the secured page 'mypage.jsp', user needs to login.


2. Add Spring Security Maven Dependencies

Add Spring Security Maven Dependencies in Maven pom.xml.

File : pom.xml
Note : If you use Spring Framework 3.2.x and Spring Security 3.1.x (or less), then you may encounter Spring Asm Dependency Issue: java.lang.IncompatibleClassChangeError.


3. Spring Security configuration

Create a separate spring security xml and add following configuration to enable Spring security.

File : WEB-INF/spring-security.xml
Note :
<intercept-url> defines a pattern for request URLs which need to be secured. Attribute access defines roles of an user who is authorised to see requested URLs matching with that pattern. auto-config='true' automatically enables form based login, basic authentication and logout mechanism.

<authentication-manager> handles authentication of requests and uses the mechanism provided by <authentication-provider> to authenticate an user. To make the example simple, I have defined one hardcoded user with username as "srccodes", password as "password" and authorities as "ROLE_USER". authorities can take comma separated list of roles assigned to the particular user.


4. Integration of Spring Security

Spring Security is entirely based on servlet filter. We need to declare a filter called DelegatingFilterProxy in web.xml.

File : WEB-INF/web.xml

DelegatingFilterProxy is actually a filter proxy which delegates filter's methods to a Spring managed bean (by default named as "springSecurityFilterChain") which implements javax.servlet.Filter. Name of this bean must same with the <filter-name> in web.xml. Otherwise you may get following error during start up of the web application. Lets say <filter-name> is 'XXXXX'.

Server Console
Note : In web.xml, filter init-param "targetBeanName" can be used to specify the name of the target Spring bean defined in the application context.


5. Overall Project Structure

Overall Project Structure


6. Demo

Now we'll test what we have achieved so far. Start the server and deploy the web application. Open the url http://<IP>:<PORT>/SpringSecurityHelloWorld/public. You'll be able to see the publicly accessible "public.jsp" page.

deploy web application and access public page

So far so good. Now we'll try to open our secured / protected page (mypage.jsp) at http://<IP>:<PORT>/SpringSecurityHelloWorld/secured/mypage. Oops!!!. We have been intercepted by DelegatingFilterProxy and redirected to spring defined login form at http://<IP>:<PORT>/SpringSecurityHelloWorld/spring_security_login.

Note : If user defined login form is not supplied, then Spring will automatically create one for authentication.

Supposedly we should not be able to view the secured page without valid username and password. So, let's first try with wrong credentials.

secured page without valid username and password

Oops!!!. Spring security has caught us again. It is also showing error message "secured page without valid username and password." with "Reason: Bad credentials". Now we have no option left but to try with correct username (srccodes) and password (password). But this time Spring security will redirect us to the initially requested URL and we'll be able to view the content of the secured page.

Spring security redirect to the initially requested URL


Download Source Code