Spring Security 3 Hello World Example

Tools and Technologies used in this article :

Note : Spring 3 requires at least JDK 5. So, make sure you have JDK 5 or above.

1. Initial Spring 3 MVC Web Application

We'll start with creating (Refer Spring 3 MVC Framework Based Hello World Web Application Example) a simple Spring 3 MVC project (say SpringSecurityHelloWorld). There will be two pages (say public.jsp and mypage.jsp), one controller (SpringSecurityHelloController) with two handler methods and Spring Configuration File (dispatcher-servlet.xml).

File : WEB-INF/pages/public.jsp
File : WEB-INF/pages/secured/mypage.jsp
File : com/srccodes/spring/controller/SpringSecurityHelloController.java
File : WEB-INF/dispatcher-servlet.xml

Find below the screenshot of the project structure of our initial Spring 3 MVC Web Application

Initial Spring 3 MVC Web Application Project Structure

So far there is no security and anybody can access both public and secured pages without login. We'll integrate Spring Security with our initial web application so that page 'public.jsp' remains publicly accessible but to access the secured page 'mypage.jsp', user needs to login.

2. Add Spring Security Maven Dependencies

Add Spring Security Maven Dependencies in Maven pom.xml.

File : pom.xml

Note : If you use Spring Framework 3.2.x and Spring Security 3.1.x (or less), then you may encounter Spring Asm Dependency Issue: java.lang.IncompatibleClassChangeError.

3. Spring Security configuration

Create a separate spring security xml and add following configuration to enable Spring security.

File : WEB-INF/spring-security.xml

Note :
<intercept-url> defines a pattern for request URLs which need to be secured. Attribute access defines roles of an user who is authorised to see requested URLs matching with that pattern. auto-config='true' automatically enables form based login, basic authentication and logout mechanism.

<authentication-manager> handles authentication of requests and uses the mechanism provided by <authentication-provider> to authenticate an user. To make the example simple, I have defined one hardcoded user with username as "srccodes", password as "password" and authorities as "ROLE_USER". authorities can take comma separated list of roles assigned to the particular user.

4. Integration of Spring Security

Spring Security is entirely based on servlet filter. We need to declare a filter called DelegatingFilterProxy in web.xml.

File : WEB-INF/web.xml

DelegatingFilterProxy is actually a filter proxy which delegates filter's methods to a Spring managed bean (by default named as "springSecurityFilterChain") which implements javax.servlet.Filter. Name of this bean must same with the <filter-name> in web.xml. Otherwise you may get following error during start up of the web application. Lets say <filter-name> is 'XXXXX'.

Server Console

Note : In web.xml, filter init-param "targetBeanName" can be used to specify the name of the target Spring bean defined in the application context.

5. Overall Project Structure

6. Demo

Now we'll test what we have achieved so far. Start the server and deploy the web application. Open the url http://<IP>:<PORT>/SpringSecurityHelloWorld/public. You'll be able to see the publicly accessible "public.jsp" page.

deploy web application and access public page

So far so good. Now we'll try to open our secured / protected page (mypage.jsp) at http://<IP>:<PORT>/SpringSecurityHelloWorld/secured/mypage. Oops!!!. We have been intercepted by DelegatingFilterProxy and redirected to spring defined login form at http://<IP>:<PORT>/SpringSecurityHelloWorld/spring_security_login.

Note : If user defined login form is not supplied, then Spring will automatically create one for authentication.

Supposedly we should not be able to view the secured page without valid username and password. So, let's first try with wrong credentials.

Oops!!!. Spring security has caught us again. It is also showing error message "secured page without valid username and password." with "Reason: Bad credentials". Now we have no option left but to try with correct username (srccodes) and password (password). But this time Spring security will redirect us to the initially requested URL and we'll be able to view the content of the secured page.

Spring security redirect to the initially requested URL

Download Source Code

SrcCodes : SpringSecurityHelloWorld

Spring Security 3 Hello World Example

1. Initial Spring 3 MVC Web Application

2. Add Spring Security Maven Dependencies

3. Spring Security configuration

4. Integration of Spring Security

5. Overall Project Structure

6. Demo

Download Source Code

References

Share This:

About the Author

Spring 3 MVC Framework Based Hello World Web Application Example Using Maven, Eclipse IDE And Tomcat Server

Spring Security Custom Login Form Example

Spring Security Logout Example

Spring Security HTTP Basic Authentication Example

JSP Hello World Example using Eclipse IDE and Tomcat web server

Tomcat Hello World Servlet using Eclipse IDE

Hello World Example of Simple Logging Facade for Java or SLF4J

Build Android application package file (APK) using Eclipse IDE and Android Developer Tools (ADT) Plugin

Build, Install, Configure and Run Apache Hadoop 2.2.0 in Microsoft Windows OS

Internet enabled (IOT) smoke alarm with SMS notification using esp8266, MQ2, ThingSpeak and Twilio

IOT - Home Automation project using Geofencing, MQTT, ESP8266 and MycroPython

Home Automation - Internet of Things - MQTT (MQ Telemetry Transport), ESP8266 and MycroPython

Configure STA_IF interface of ESP8266 (MycroPython firmware) to connect with WIFI network automatically on boot

Example: Remotely switch on/off and control brightness of an LED using MicroPython WebREPL

About this 'Hello World' site

Categories

Archives

Follow Us