Quick Spring Security 3 Tutorial

This is a quick tutorial on Spring Security. You will need Eclipse and m2e to follow the steps below.

1. Create a new Maven Project using the Eclipse New Wizard. When prompted for the archetype, pick the spring-mvc-jpa-archetype. This will give us a running Spring MVC web application.


2. Enter com.teamextension for the groupId. Enter quickspringsecurity for the artifactId. Enter com.teamextension.quickspringsecurity for the package. Hit Finish.


3. Right click on the quickspringsecurity project andĀ go to Maven -> Add Dependency. At “Enter the groupId, artifactId or sha1 prefix or pattern(*)”, enter org.springframework.security and the choose the artifact spring-security-core. Repeat for spring-security-config and spring-security-web.

4. Create security.xml under srcmainwebappWEB-INFspring.

<beans:beans 
  xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

  <http auto-config="true">
    <intercept-url pattern="/**" access="ROLE_USER" />
    <intercept-url pattern="/spring_security_login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
  </http>

  <authentication-manager>
    <authentication-provider>
      <user-service>
        <user name="username" password="password" authorities="ROLE_USER" />
      </user-service>
    </authentication-provider>
  </authentication-manager>

</beans:beans>

The XML above secures the whole web application, except for the login page. We also created an account with the credentials username:password.

5. Update web.xml, adding spring security configurations and changing the url-pattern to start with “/”.

...

<context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
    /WEB-INF/spring/root-context.xml,
    /WEB-INF/spring/security.xml
  </param-value>
</context-param>

...

<servlet-mapping>
  <servlet-name>appServlet</servlet-name>
  <url-pattern>/</url-pattern>
</servlet-mapping>

...

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

...

6. Update index.html, replacing redirect to “/”.

...

<meta http-equiv="Refresh" content="0; URL=/">

...

7. Execute the project with Jetty. Right click project, choose Run As, then Maven build …, check Skip Tests and put this in Goals: installĀ  jetty:run. Click Run.

8. Open a browser and go to http://localhost:8080/quickspringsecurity/. You’ll be prompted with a login page. Enter username at the User textbox and password at Password textbox, and submit.

9. You’ll be redirected to this page

You now have a simple Spring Security 3 web application.