Spring Security Hello World Example

67 Flares Twitter 4 Facebook 43 Google+ 20 Pin It Share 0 LinkedIn 0 Filament.io 67 Flares ×

In this tutorial, we will see how we can use Spring security to protect specific resources. This Hello World tutorial will give you a quick start to Spring Security.We will use Spring’s Java Config ( Annotation based approach) to configure the properties instead of  XML configuration.

Technologies used

  • Spring 4.0.3 Release
  • Spring Security 3.2.3 Release
  • Tomcat 7
  • Java 1.6

We are going to develop a simple web application using  Spring MVC. All the configurations will be done using Java Classes and there won’t be any XML configurations. Let us first start with the project structure.

Project Structure


Maven Dependencies


The controller will be having  an unprotected URL and two URL path’s that are restricted to admin and super admin roles.

  •  /helloworld path is public access and there is no security constraint set on that.
  • /protected is a restricted area and only user’s having admin role can access that
  • /confidential is restricted and only user’s having superadmin role is able to access it

Inside each method , we create a Model ( ModelAndView instance) and return it. The view name is also set in the model.  How the view name is mapped to a concrete view file ( in this case a  JSP file) is the simple.  We need to provide a Class having the configuration information. This is explained in the next section

Configuring the Spring MVC ( View + Security)

We need to tell Spring where to find view and how it is mapped. How do we handle security and the configuration for the same also needs to be set in Spring. All these can be accomplished using a  Java Class annotated with @Configuration annotation

Above class does the following

  • Declares this class as Configuration ( @Configuration)
  • Instructs Spring to Scan for Components inside com.javahash.* package
  • Maps a view name to /WEB-INF/views/ folder
  • Sets the Suffix to be .jsp
  • Imports another class that holds the security related configuration (@Import({ AppSecurityConfig.class }) )

Let us see how we configure the security part.

Security Configuration

The most important thing to note is that this class is annotated with

  1. @Configuration
  2. @EnableWebSecurity

and it extends WebSecurityConfigurerAdapter class. The @EnableWebSecurity annotation and WebSecurityConfigurerAdapter work together to provide web based security. Spring security is configured to enable HTTP Basic and Form based authentication. Spring Security will automatically render a login page and logout success page for you. The rest of the code is self explanatory. It just configures the URLs that are restricted to authorized roles and sets the roles for the users. In this example the users and their passwords are hard coded. You can change this to grab the information from database , if required.

We now have the security configuration in AppSecurityConfig.java and the MVC configuration in ViewConfig.java. We need to make sure that the root application context includes our Security configuration. For this, the practice is to create a class that extends AbstractAnnotationConfigDispatcherServletInitializer  and override a few methods.  What we require is to configure particular URL patterns to pass through our security layer. Traditional approach is to configure a servlet filter and in the filter we check for the security credentials. With the introduction of Servlet 3.x we are no longer required to declare the filter in web.xml and we can manage the entire configuration via Java classes. The AbstractAnnotationConfigDispatcherServletInitializer  helps with this.

The above code is equivalent to

We have now configured security and other MVC configuration. What is left is to configure the DispatcherSerlvet that is used to initialize the Spring MVC framework and map the URL patterns for Dispatcher Servlet. Tradional approach was to declare the DispatcherServlet in the web.xml and provide URL mappings for it. We can do away with web.xml configuration and instead use a Java Class to do this Job.  This is our next step

Configuring the Dispatcher Servlet

Here we have configured the servlet mapping as “/” and so all requests will be intercepted by the Spring Dispatcher Servlet.

Things to Note:

Our class extends AbstractAnnotationConfigDispatcherServletInitializer 

getRootConfigClasses method returns our Configuration class ( ViewConfig.class)

The only activity left is to develop the views and test the application.

Developing the View (JSP)

The views are very simple – it just prints the message and the title returned in the model. We use JSTL in the  views to print the data.






No security for helloworld.

When you change the URL to http://localhost:8080/springsecurity-0.0.1-SNAPSHOT/protected/ Spring Security kicks in and redirect to /login, and a default login form is displayed. If username and password supplied is incorrect, error messages will be displayed, and Spring will redirect to the URL /login?error.

For unauthorized user, Spring will display the 403 access denied page


Recap – Configurations

  • Declare the Security Configuration (AppSecurityConfig.java)
  • Declare the View Configuration ( ViewConfig.java)
  • Declare the Security Filter Configuration (SecurityInit.java)
  • Declare the Spring Dispatcher Servlet Configuration (MVCInitializer.java)

Download Source Code

Download  – Spring Security Source Code ( 7.37 KB)

  • Alex

    Thanks for this. I think something beefier would be more helpful for anyone really evaluating Spring. I understand that you put the credentials in the config file to make the tutorial easy but that’s typically a very bad idea in practice. Can you show us a more in-depth tutorial where you’re plugging into a real back-end like Stormpath and also show us some authorization.

  • MaineBrookies

    Thanks for taking the time to produce this tutorial. It works fine for me (Tomcat 8, Spring 4.0.3, SpringSec 3.2.3) except that neither the logout section nor the user name display appear after logging in. I just see the Title and Message content.

    • anandchakru

      did u try adding the following to your pom:


  • anandchakru

    Thank you..

  • Shyam Elakapalli

    how to implement custom annotated filter ?


    @interface MySecurityFilter{


    public HelloWorldContrller{



    public String getMessage(){

    return “”;



  • Johaness

    The blog layout turns very complicated to understand anything