Spring Security 3 Hello World Example
Security is of great concern in any web application. If you are looking for a proven and industry standard solution to secure your Java/J2ee based application, then widely used and highly customizable authentication and access control framework - Spring Security is well worth considering.
This post will show all the steps to setup, configure and integrate Spring Security 3 to protect your web application from being breached using a simple hello world example.
Tools and Technologies used in this article :
1. Initial Spring 3 MVC Web Application
We'll start with creating (Refer Spring 3 MVC Framework Based Hello World Web Application Example) a simple Spring 3 MVC project (say SpringSecurityHelloWorld). There will be two pages (say public.jsp and mypage.jsp), one controller (SpringSecurityHelloController) with two handler methods and Spring Configuration File (dispatcher-servlet.xml).
File : WEB-INF/pages/public.jspFile : WEB-INF/pages/secured/mypage.jsp
File : com/srccodes/spring/controller/SpringSecurityHelloController.java
File : WEB-INF/dispatcher-servlet.xml
Find below the screenshot of the project structure of our initial Spring 3 MVC Web Application

So far there is no security and anybody can access both public and secured pages without login. We'll integrate Spring Security with our initial web application so that page 'public.jsp' remains publicly accessible but to access the secured page 'mypage.jsp', user needs to login.
2. Add Spring Security Maven Dependencies
Add Spring Security Maven Dependencies in Maven pom.xml.
File : pom.xml
3. Spring Security configuration
Create a separate spring security xml and add following configuration to enable Spring security.
File : WEB-INF/spring-security.xml<intercept-url> defines a pattern for request URLs which need to be secured. Attribute access defines roles of an user who is authorised to see requested URLs matching with that pattern. auto-config='true' automatically enables form based login, basic authentication and logout mechanism.
<authentication-manager> handles authentication of requests and uses the mechanism provided by <authentication-provider> to authenticate an user. To make the example simple, I have defined one hardcoded user with username as "srccodes", password as "password" and authorities as "ROLE_USER". authorities can take comma separated list of roles assigned to the particular user.
4. Integration of Spring Security
Spring Security is entirely based on servlet filter. We need to declare a filter called DelegatingFilterProxy in web.xml.
File : WEB-INF/web.xmlDelegatingFilterProxy is actually a filter proxy which delegates filter's methods to a Spring managed bean (by default named as "springSecurityFilterChain") which implements javax.servlet.Filter. Name of this bean must same with the <filter-name> in web.xml. Otherwise you may get following error during start up of the web application. Lets say <filter-name> is 'XXXXX'.
Server Console
5. Overall Project Structure

6. Demo
Now we'll test what we have achieved so far. Start the server and deploy the web application. Open the url http://<IP>:<PORT>/SpringSecurityHelloWorld/public. You'll be able to see the publicly accessible "public.jsp" page.

So far so good. Now we'll try to open our secured / protected page (mypage.jsp) at http://<IP>:<PORT>/SpringSecurityHelloWorld/secured/mypage. Oops!!!. We have been intercepted by DelegatingFilterProxy and redirected to spring defined login form at http://<IP>:<PORT>/SpringSecurityHelloWorld/spring_security_login.

Supposedly we should not be able to view the secured page without valid username and password. So, let's first try with wrong credentials.

Oops!!!. Spring security has caught us again. It is also showing error message "secured page without valid username and password." with "Reason: Bad credentials". Now we have no option left but to try with correct username (srccodes) and password (password). But this time Spring security will redirect us to the initially requested URL and we'll be able to view the content of the secured page.

Download Source Code