This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security.
You will build a Spring MVC application that secures the page with a login form that is backed by a fixed list of users.
-
Spring Initializer
-
Use this pre-initialized project
-
-
Manually, adding the dependencies
-
'spring-web'
-
'Thymeleaf'
-
-
Unsecured Web Application
-
'spring-boot-starter-thymeleaf'
-
'spring-boot-starter-web'
-
-
Web application views
-
home page
-
Defined in
src/main/resources/templates/home.html— via Thymeleaf template —
-
-
"Hello, World" page
-
Defined in
src/main/resources/templates/hello.html— via Thymeleaf template —
-
-
login page
-
Defined in
src/main/resources/templates/login.html— via Thymeleaf template —
-
-
-
Web application is based on Spring MVC
-
Configure Spring MVC
-
Set up view controllers to expose these templates
-
Defined in
src/main/java/com/example/securingweb/MvcConfig.java
-
-
-
If Spring Security is on the classpath → Spring Boot automatically secures all HTTP endpoints with “basic” authentication.
-
Dependencies
-
With Gradle
-
implementation 'org.springframework.boot:spring-boot-starter-security'// Temporary explicit version to fix Thymeleaf bug
implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.1.RELEASE'implementation 'org.springframework.security:spring-security-test'-
With Maven
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency><dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity6</artifactId>
<version>3.1.1.RELEASE</version>
</dependency><groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>-
Apply security configuration —
src/main/java/com/example/securingweb/WebSecurityConfig.java—-
@EnableWebSecurity-
enable Spring Security’s web security support
-
provide Spring MVC integration
-
-
SecurityFilterChaindefines which URL paths should be secured and which not -
UserDetailsServicesets up an in-memory user store-
You can further customize the security settings.
-
-
-
Establish jdk 17.Y.Z as your environment variable
-
-
For Gradle — IN PROGRESS —
-
For Maven
-
via the maven wrapper
-
./mvnw spring-boot:run— to run the application — -
./mvnw clean package— to build the JAR file --, and thenjava -jar target/gs-securing-web-0.1.0.jar— to run the JAR file —
-
-
via maven installed by you locally previously
-
mvn spring-boot:run— to run the application — -
mvn clean package— to build the JAR file --, and thenjava -jar target/gs-securing-web-0.1.0.jar— to run the JAR file —
-
-
-
-
Once it has been started
-
Open your browser in
http://localhost:8080to see the home page:
-
If you click on the link → it attempts to redirect to
/hello-
Since that page is secured and you have not yet logged in, it redirects to the login page
-
-
If you enter
userandpasswordin the fields → you are authenticated and then redirected to the greeting page
-
If you click on the Sign Out button → authentication is revoked, and you are returned to the login page with a message indicating that you are logged out.