• Java
    • JAXB Tutorial
      • What is JAXB
      • JAXB Marshalling Example
      • JAXB UnMarshalling Example
  • Spring Tutorial
    • Spring Core Tutorial
    • Spring MVC Tutorial
      • Quick Start
        • Flow Diagram
        • Hello World Example
        • Form Handling Example
      • Handler Mapping
        • BeanNameUrlHandlerMapping
        • ControllerClassNameHandlerMapping
        • SimpleUrlHandlerMapping
      • Validation & Exception Handling
        • Validation+Annotations
        • Validation+ResourceBundle
        • @ExceptionHandler
        • @ControllerAdvice
        • Custom Exception Handling
      • Form Tag Library
        • Textbox Example
        • TextArea Example
        • Password Example
        • Dropdown Box Example
        • Checkboxes Example
        • Radiobuttons Example
        • HiddenValue Example
      • Misc
        • Change Config file name
    • Spring Boot Tutorial
  • Hibernate Tutorial
  • REST Tutorial
    • JAX-RS REST @PathParam Example
    • JAX-RS REST @QueryParam Example
    • JAX-RS REST @DefaultValue Example
    • JAX-RS REST @Context Example
    • JAX-RS REST @MatrixParam Example
    • JAX-RS REST @FormParam Example
    • JAX-RS REST @Produces Example
    • JAX-RS REST @Consumes Example
    • JAX-RS REST @Produces both XML and JSON Example
    • JAX-RS REST @Consumes both XML and JSON Example
  • Miscellaneous
    • JSON Parser
      • Read a JSON file
      • Write JSON object to File
      • Read / Write JSON using GSON
      • Java Object to JSON using JAXB
    • CSV Parser
      • Read / Write CSV file
      • Read/Parse/Write CSV File – OpenCSV
      • Export data into a CSV File
      • CsvToBean and BeanToCsv – OpenCSV

JavaInterviewPoint

Java Development Tutorials

Spring Security Annotation Configuration Example – HelloWorld

February 8, 2017 by javainterviewpoint Leave a Comment

Previously we have seen how to implement Spring Security in a Hello World program using XML configuration. In this Spring Security Annotation Configuration Example, we will be using the same example but instead of XML configuration, we will be configuring it through annotation.

Let’s build Spring MVC application with the home page which will be accessible to everyone, and we will be having admin page which will be accessible to only to the user with admin rights. When the user tries to access the admin page he will be asked to log in, if the credentials entered matches the admin privilege then only he will be allowed in.

Folder Structure:

Spring Security Annotation Configuration Example

  1. Create a simple Maven Project “SpringSecurityTutorial” and create a package for our source files “com.javainterviewpoint” under  src/main/java 
  2. Now add the following dependency in the POM.xml
    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0	http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.javainterviewpoint</groupId>
     <artifactId>SpringSecurityTutorial</artifactId>
     <packaging>war</packaging>
     <version>0.0.1-SNAPSHOT</version>
     <name>SpringSecurityTutorial Maven Webapp</name>
     <url>http://maven.apache.org</url>
     <dependencies>
       <dependency>
         <groupId>junit</groupId>
         <artifactId>junit</artifactId>
         <version>3.8.1</version>
         <scope>test</scope>
       </dependency>
       <dependency>
         <groupId>javax.servlet</groupId>
         <artifactId>javax.servlet-api</artifactId>
         <version>3.1.0</version>
       </dependency>
    
       <dependency>
         <groupId>org.springframework</groupId>
         <artifactId>spring-core</artifactId>
         <version>${spring.version}</version>
       </dependency>
       <dependency>
         <groupId>org.springframework</groupId>
         <artifactId>spring-webmvc</artifactId>
         <version>${spring.version}</version>
       </dependency>
       <!-- Spring Security -->
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-core</artifactId>
         <version>${security.version}</version>
       </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-web</artifactId>
         <version>${security.version}</version>
       </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-config</artifactId>
         <version>${security.version}</version>
       </dependency>
       <dependency>
         <groupId>jstl</groupId>
         <artifactId>jstl</artifactId>
         <version>1.2</version>
       </dependency>
     </dependencies>
     <build>
     <finalName>SpringSecurityTutorial</finalName>
     </build>
     <properties>
     <spring.version>4.2.1.RELEASE</spring.version>
     <security.version>4.0.3.RELEASE</security.version>
     <jdk.version>1.7</jdk.version>
     </properties>
    </project>
  3. Create the Java class HelloController.java and SpringSecurityConfig.java under com.javainterviewpoint folder.
  4. Place the SpringConfig-servlet.xml and web.xml  under the WEB-INF directory
  5. View files index.jsp, hello.jsp, and admin.jsp are put under the subdirectory under WEB-INF/Jsp

Other interesting articles which you may like …

  • context:annotation-config vs context:component-scan
  • Spring MVC BeanNameUrlHandlerMapping Example
  • Spring MVC ControllerClassNameHandlerMapping Example
  • Spring MVC SimpleUrlHandlerMapping Example
  • Spring REST Hello World Example – JSON and XML responses
  • ClassNotFoundException: org.springframework.web.context.ContextLoaderListener
  • Fix missing src/main/java folder in Eclipse Maven Project – 2 build path entries are missing
  • Spring MVC CRUD Example with MySql + JdbcTemplate
  • RESTful Java Client With Jersey Client
  • RESTEasy Hello World Example with Apache Tomcat
  • RESTful Java client with RESTEasy client
  • Spring RESTful Web Services Hello World XML Example
  • Springfox Swagger 2 for Spring RESTful Web Services

Spring Security Annotation Configuration Example

web.xml

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee	http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
	version="3.1">
 <display-name>Archetype Created Web Application</display-name>
 <servlet>
   <servlet-name>SpringConfig</servlet-name>
   <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
   <init-param>
     <param-name>contextConfigLocation</param-name>
     <param-value>
       /WEB-INF/SpringConfig-servlet.xml
     </param-value>
   </init-param>
 </servlet>
 <servlet-mapping>
   <servlet-name>SpringConfig</servlet-name>
   <url-pattern>/</url-pattern>
 </servlet-mapping>

 <listener>
   <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 </listener>

 <!-- Loads Spring Security configuration file -->
 <context-param>
   <param-name>contextConfigLocation</param-name>
   <param-value>
      /WEB-INF/SpringConfig-servlet.xml
   </param-value>
 </context-param>

 <!-- Spring Security filter -->
 <filter>
   <filter-name>springSecurityFilterChain</filter-name>
   <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>

 <filter-mapping>
   <filter-name>springSecurityFilterChain</filter-name>
   <url-pattern>/*</url-pattern>
 </filter-mapping>
</web-app>
  • The web.xml has everything about the application that a server needs to know, which is placed under the WEB-INF directory.  It contains the name of the SpringConfiguration file when the DispatcherServlet is initialized the framework will try to load a configuration file “[servlet-name]-servlet.xml” under the WEB-INF directory.
  • Spring Security depends on the Servlet filter, we will be using the filter “DelegatingFilterProxy” which provides the link between web.xml and application context. (Note: The filter name should only be “springSecurityFilterChain” )

SpringConfig-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
 xmlns:context="http://www.springframework.org/schema/context"
 xmlns:mvc="http://www.springframework.org/schema/mvc"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
 http://www.springframework.org/schema/context
 http://www.springframework.org/schema/context/spring-context-3.2.xsd
 http://www.springframework.org/schema/mvc
 http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">

 <mvc:annotation-driven />
 <context:component-scan base-package="com.javainterviewpoint" />

 <bean id="viewResolver"
   class="org.springframework.web.servlet.view.InternalResourceViewResolver">
   <property name="prefix" value="/WEB-INF/Jsp/" />
   <property name="suffix" value=".jsp" />
 </bean>
</beans>
  • The SpringConfig-servlet.xml is also placed under the WEB-INF directory.
  • <context:component-scan> will let the Spring Container to search for all the annotation under the package “com.javainteriviewpoint”. 
  • <mvc:annotation-driven/> annotation will activate the @Controller, @RequestMapping, @Valid etc annotations.
  • The view is resolved through “org.springframework.web.servlet.view.InternalResourceViewResolver” which searches for the jsp files under the /WEB-INF/Jsp/ directory.

SpringSecurityConfig.java

We will not be having SpringSecurity.xml in the example instead we will be having an additional class which performs the work of the XML Configuration.

package com.javainterviewpoint;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter
{
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder authentication) throws Exception 
    {
        authentication.inMemoryAuthentication().withUser("test").password("test").roles("ADMIN");
    }
    
    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception 
    {
        httpSecurity.authorizeRequests()
            .antMatchers("/", "/hello").permitAll() 
            .antMatchers("/admin*").access("hasRole('ROLE_ADMIN')")
            .and().formLogin();
    }
}
  • configureGlobal() method configures the AuthenticationManagerBuilder class with the valid user credentials and the allowed roles. The AuthenticationManagerBuilder class creates the AuthenticationManger which is responsible for authenticating the credentials. In our example we have used the inMemoryAuthentication, you can choose other authentication types such JDBC, LDAP.
authentication.inMemoryAuthentication().withUser("test").password("test").roles("ADMIN");

It is equivalent of

 <authentication-manager>
   <authentication-provider>
     <user-service>
       <user name="test" password="test" authorities="ROLE_ADMIN" />
     </user-service>
    </authentication-provider>
 </authentication-manager>
  • configure() method configures the HttpSecurity class which authorizes each HTTP request which has been made. In our example ‘/’ and ‘/hello’ will be allowed for everyone and ‘/admin’ will be allowed for the user having ADMIN role.
  httpSecurity.authorizeRequests()
            .antMatchers("/", "/hello").permitAll() 
            .antMatchers("/admin*").access("hasRole('ROLE_ADMIN')")
            .and().formLogin();

It is equivalent of

<intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')" />
  • formLogin() method will generate the default login form which will act as the login form here.

HelloController.java

package com.javainterviewpoint;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController
{
    @RequestMapping("/hello")
    public ModelAndView hello()
    {
        String welcomeMessage = "Hello controller Welcome Message";
        return new ModelAndView("hello","welcomeMessage",welcomeMessage);
    }
    @RequestMapping("/admin")
    public ModelAndView admin()
    {
        String welcomeMessage = "Welcome to Admin Page !!";
        return new ModelAndView("admin","welcomeMessage",welcomeMessage);
    }
}
  • Our HelloController has two methods
    • hello() – when the user hits on the URL “/hello” this method gets called and the user will be redirected to the “hello.jsp”
    • admin() – when the user hits on the URL “/admin” this method gets called and the user will be redirected to the login page, only when the user keys in the valid credentials he will be allowed see the “admin.jsp”.

index.jsp

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%response.sendRedirect("hello");%>
<html>
<body>
 <h2>Hello World!</h2>
</body>
</html>

hello.jsp

 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<html>
<head>
<title>Spring Security</title>
</head>
<body>
 <h2>Spring Security Tutorial Hello World Example !!!</h2>
 <h4>${welcomeMessage}</h4>
 <h4>
 <a href="admin">Admin Page</a> || <a href="<c:url value="j_spring_security_logout" />">Logout</a>
 </h4>
</body>
</html>

admin.jsp

 <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
 pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
  <title>Spring Security Tutorial - Admin Page</title>
</head>
<body>
  <h3>${welcomeMessage}</h3>
</body>
</html>

Output

Hit on the URL: http://localhost:8080/SpringSecurityTutorial/hello

Spring Security Hello World

Hit on the URL: http://localhost:8080/SpringSecurityTutorial/admin

Spring Security Hello World Annotation

You will be asked to login, if an invalid password is entered you will get the below error.

Spring Security Hello World Invalid

Only when you enter the valid credentials you will be allowed to see the admin page.

Spring Security Tutorial 4

Filed Under: J2EE, Java, Spring MVC, Spring Security, Spring Tutorial Tagged With: Spring Security Annotation Configuration Example

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Java Basics

  • JVM Architecture
  • Object in Java
  • Class in Java
  • How to Set Classpath for Java in Windows
  • Components of JDK
  • Decompiling a class file
  • Use of Class.forName in java
  • Use Class.forName in SQL JDBC

Oops Concepts

  • Inheritance in Java
  • Types of Inheritance in Java
  • Single Inheritance in Java
  • Multiple Inheritance in Java
  • Multilevel Inheritance in Java
  • Hierarchical Inheritance in Java
  • Hybrid Inheritance in Java
  • Polymorphism in Java – Method Overloading and Overriding
  • Types of Polymorphism in java
  • Method Overriding in Java
  • Can we Overload static methods in Java
  • Can we Override static methods in Java
  • Java Constructor Overloading
  • Java Method Overloading Example
  • Encapsulation in Java with Example
  • Constructor in Java
  • Constructor in an Interface?
  • Parameterized Constructor in Java
  • Constructor Chaining with example
  • What is the use of a Private Constructors in Java
  • Interface in Java
  • What is Marker Interface
  • Abstract Class in Java

Java Keywords

  • Java this keyword
  • Java super keyword
  • Final Keyword in Java
  • static Keyword in Java
  • Static Import
  • Transient Keyword

Miscellaneous

  • newInstance() method
  • How does Hashmap works internally in Java
  • Java Ternary operator
  • How System.out.println() really work?
  • Autoboxing and Unboxing Examples
  • Serialization and Deserialization in Java with Example
  • Generate SerialVersionUID in Java
  • How to make a class Immutable in Java
  • Differences betwen HashMap and Hashtable
  • Difference between Enumeration and Iterator ?
  • Difference between fail-fast and fail-safe Iterator
  • Difference Between Interface and Abstract Class in Java
  • Difference between equals() and ==
  • Sort Objects in a ArrayList using Java Comparable Interface
  • Sort Objects in a ArrayList using Java Comparator

Follow

  • Coding Utils

Useful Links

  • Spring 4.1.x Documentation
  • Spring 3.2.x Documentation
  • Spring 2.5.x Documentation
  • Java 6 API
  • Java 7 API
  • Java 8 API
  • Java EE 5 Tutorial
  • Java EE 6 Tutorial
  • Java EE 7 Tutorial
  • Maven Repository
  • Hibernate ORM

About JavaInterviewPoint

javainterviewpoint.com is a tech blog dedicated to all Java/J2EE developers and Web Developers. We publish useful tutorials on Java, J2EE and all latest frameworks.

All examples and tutorials posted here are very well tested in our development environment.

Connect with us on Facebook | Privacy Policy | Sitemap

Copyright ©2023 · Java Interview Point - All Rights Are Reserved ·