Spring Security Project using Java Configuration

Spring Framework added Java configuration support in Spring 3.1. In Spring Security, Java configuration was added to Spring Security 3.2 that allows us to configure Spring Security without writing single line of XML.

Here, we will create an example that implements Spring Security and configured without using XML. It includes the following steps.

Step 1

The first step is to create a Spring Security Java configuration. A simple basic Java Configuration is given below.

WebSecurityConfig.java

package com.javatpoint;

import org.springframework.context.annotation.*;
//import org.springframework.security.config.annotation.authentication.builders.*;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.*;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@EnableWebSecurity
@ComponentScan("com.javatpoint")
public class WebSecurityConfig implements WebMvcConfigurer {
	
	@Bean
	public UserDetailsService userDetailsService() throws Exception {
		InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
		manager.createUser(User.withDefaultPasswordEncoder().username("javatpoint").
		password("java123").roles("USER").build());
		return manager;
	}
	
	protected void configure(HttpSecurity http) throws Exception {
				
		http
		.antMatcher("/")                               
		.authorizeRequests()
			.anyRequest().hasRole("ADMIN")
			.and()
		.httpBasic();
	}
}

This configuration creates a Servlet Filter known as the springSecurityFilterChain. It is responsible for protecting the application URLs, validating submit username and password, redirecting to the login form etc.

The above Java Configuration do the following for our application.

Require authentication for every URL
Creates a login form
Allow user to authenticate using form based authentication
Allow to logout
Prevent from CSRF attack
Security Header Integration, etc

Step 2

Now, we will register springSecurityFilterChain with the war. To register, Spring Security provides a base class AbstractSecurityWebApplicationInitializer that we need to extend.

For Spring MVC application, SecurityWebApplicationInitializer will look like below.

SecurityWebApplicationInitializer.java

package com.javatpoint;
import org.springframework.security.web.context.*;

public class SecurityWebApplicationInitializer
	extends AbstractSecurityWebApplicationInitializer {

}

This code will register the springSecurityFilterChain for every URL in our application.

Step 3

Now, load WebSecurityConfig in our existing ApplicationInitializer and add into the getRootConfigClasses() method.

MvcWebApplicationInitializer.java

package com.javatpoint;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
public class MvcWebApplicationInitializer extends
		AbstractAnnotationConfigDispatcherServletInitializer {
	@Override
	protected Class<?>[] getRootConfigClasses() {
		return new Class[] { WebSecurityConfig.class };
	}
	@Override
	protected Class<?>[] getServletConfigClasses() {
		// TODO Auto-generated method stub
		return null;
	}
	@Override
	protected String[] getServletMappings() {
		return new String[] { "/" };
	}
}

Step 4

WebSecurityConfigurerAdapter class provides a configure(HttpSecurity http) method that contains the following default configuration. Default definition looks like below.

protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic();
}

It is similar to the given XML.

<http>
<intercept-url pattern="/**" access="authenticated"/>
<form-login />
<http-basic />
</http>

This method does the following things.

It ensures that each request made by the user requires to the user to be authenticated
It allows user to authenticate by using form based login
It allows user to authenticate with HTTP Basic authentication

Step 5

Creating a controller to handle user requests.

HomeController.java

package com.javatpoint.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class HomeController {
	
	@RequestMapping(value="/", method=RequestMethod.GET)
	public String index() {
		
		return "index";
	}
}

We have one view (.jsp) page index.jsp, it contains the following source code.

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Home Page</title>
</head>
<body>
Welcome to home page!
</body>
</html>

Our complete project looks like the below.

Output:

We have a single action in our controller and it can be accessed only by authentic user. So, when we run the application, it prompts for the login credentials. The output is given below.

This is default login page provided by the Spring Security, we did not create it. Although we can create our own login page and configure with the application. We will do this in our next topics.

Well, now, provide the login credentials to get into the application resource. Spring Security validate user credentials and make sure that user is authentic.

Let's see, what happen? If we enter wrong credentials.