Simple Spring Security example using Basic Authentication Provider
Quite a few times we require to authenticate a user for accessing pages developed using Spring MVC. This authentication can be achieved in number of ways. One way is to use web.xml security where roles are defined. However some part of this security implementation depends on the application server used. For example Tomcat checks to see that the sent username and password match a user entry in tomcat-users.xml. Thus according to the application server used, the changes would have to be done. Also only if one application server is to be used, still for each instance of the application server these changes would have to be done. Using Spring Security Authentication this is not the case. As spring security is part of the war file, it is independent of the application server.For illustrating this will use this Simple MVC project. This project displays a list of employees when the URL- viewAllEmployees.do is hit. If you try to hit this url that is protected and you are currently unauthenticated, a popup window appears and you enter a particular username/password.
Lets Begin-
Our project will be as follows-
To the pom.xml add the spring security dependencies-
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.test</groupId> <artifactId>employee-management-system</artifactId> <packaging>war</packaging> <version>0.0.1-SNAPSHOT</version> <name>employee-management-system Maven Webapp</name> <url>http://maven.apache.org</url> <properties> <spring.security.version>3.2.0.RELEASE</spring.security.version> </properties> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>3.8.1</version> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> <version>4.0.5.RELEASE</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>4.0.5.RELEASE</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version></version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version></version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version></version> </dependency> </dependencies> <build> <finalName>employee-management-system</finalName> <plugins> <plugin> <groupId>org.apache.tomcat.maven</groupId> <artifactId>tomcat7-maven-plugin</artifactId> <version>2.2</version> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-war-plugin</artifactId> <version>2.4</version> </plugin> </plugins> </build> </project>
In the security-config.xml we specify the url to be intercepted. We can instruct it to intercept all urls. Currently we have only intercepted the /viewAllEmployees.do. Also for authentication currently we have hardcoded existing users and roles. We use user-service to define in memory usernames and roles as follows-
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/viewAllEmployees.do" access="hasRole('ROLE_USER')"/>
<http-basic/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="javainuse" password="password" authorities="ROLE_USER,ROLE_ADMIN"/>
<user name="test" password="password" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
In the web.xml we add the DelegatingFilterProxy which is delegating proxy to automatically intercept a URL with a particular pattern to apply spring security. Currently all urls are going to be intercepted by this filter.
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <!-- Configure the Disptcher Servlet --> <servlet> <servlet-name>Dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <!-- Filter the incoming requests for the .do pattern --> <servlet-mapping> <servlet-name>Dispatcher</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/Dispatcher-servlet.xml, /WEB-INF/security-config.xml</param-value> </context-param> <!-- Spring Security --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>Now deploy the application on Tomcat-
. http://localhost:8080/employee-management-system/viewAllEmployees.do
As only the user having role ROLE_USER can visit this page, enter the credentials
username -javainuse and password-password or
username-test and password-password.
Download Source Code
Download it - Simple Spring Security example using Basic Authentication ProviderPopular Posts
1Z0-830 Java SE 21 Developer Certification
1Z0-819 Java SE 11 Developer Certification
1Z0-829 Java SE 17 Developer Certification
AWS AI Practitioner Certification
AZ-204 Azure Developer Associate Certification
AZ-305 Azure Solutions Architect Expert Certification
AZ-400 Azure DevOps Engineer Expert Certification
DP-100 Azure Data Scientist Associate Certification
AZ-900 Azure Fundamentals Certification
PL-300 Power BI Data Analyst Certification
Spring Professional Certification
Azure AI Foundry Hello World
Azure AI Agent Hello World
Foundry vs Hub Projects
Build Agents with SDK
Bing Web Search Agent
Function Calling Agent
Spring Boot + Azure Key Vault Hello World Example
Spring Boot + Elasticsearch + Azure Key Vault Example
Spring Boot Azure AD (Entra ID) OAuth 2.0 Authentication
Deploy Spring Boot App to Azure App Service
Secure Azure App Service using Azure API Management
Deploy Spring Boot JAR to Azure App Service
Deploy Spring Boot + MySQL to Azure App Service
Spring Boot + Azure Managed Identity Example
Secure Spring Boot Azure Web App with Managed Identity + App Registration
Elasticsearch 8 Security - Integrate Azure AD OIDC