Securing a Web Application :: Learn how to protect your web application with Spring Security.
Shell Batchfile Java HTML

README.adoc

tags projects
security
spring-security

This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security.

What you’ll build

You’ll build a Spring MVC application that secures the page with a login form backed by a fixed list of users.

Create an unsecured web application

Before you can apply security to a web application, you need a web application to secure. The steps in this section walk you through creating a very simple web application. Then you secure it with Spring Security in the next section.

The web application includes two simple views: a home page and a "Hello World" page. The home page is defined in the following Thymeleaf template:

src/main/resources/templates/home.html

link:initial/src/main/resources/templates/home.html[]

As you can see, this simple view includes a link to the page "/hello". That is defined in the following Thymeleaf template:

src/main/resources/templates/hello.html

link:initial/src/main/resources/templates/hello.html[]

The web application is based on Spring MVC. Thus you need to configure Spring MVC and set up view controllers to expose these templates. Here’s a configuration class for configuring Spring MVC in the application.

src/main/java/hello/MvcConfig.java

link:initial/src/main/java/hello/MvcConfig.java[]

The addViewControllers() method (overriding the method of the same name in WebMvcConfigurerAdapter) adds four view controllers. Two of the view controllers reference the view whose name is "home" (defined in home.html), and another references the view named "hello" (defined in hello.html). The fourth view controller references another view named "login". You’ll create that view in the next section.

At this point, you could jump ahead to Make the application executable and run the application without having to login to anything.

With the base simple web application created, you can add security to it.

Set up Spring Security

Suppose that you want to prevent unauthorized users from viewing the greeting page at "/hello". As it is now, if users click the link on the home page, they see the greeting with no barriers to stop them. You need to add a barrier that forces the user to sign in before seeing that page.

You do that by configuring Spring Security in the application. If Spring Security is on the classpath, then Spring Boot automatically secures all HTTP endpoints with "basic" authentication. But you can further customize the security settings. The first thing you need to do is add Spring Security to the classpath.

With Gradle this would be one line in the dependencies closure:

build.gradle

dependencies {
    ...
link:complete/build.gradle[]
    ...
}

With Maven this would be an extra entry added to <dependencies>:

pom.xml

<dependencies>
    ...
link:complete/pom.xml[]
    ...
</dependencies>

Here’s a security configuration that ensures that only authenticated users can see the secret greeting:

src/main/java/hello/WebSecurityConfig.java

link:complete/src/main/java/hello/WebSecurityConfig.java[]

The WebSecurityConfig class is annotated with @EnableWebSecurity to enable Spring Security’s web security support and provide the Spring MVC integration. It also extends WebSecurityConfigurerAdapter and overrides a couple of its methods to set some specifics of the web security configuration.

The configure(HttpSecurity) method defines which URL paths should be secured and which should not. Specifically, the "/" and "/home" paths are configured to not require any authentication. All other paths must be authenticated.

When a user successfully logs in, they will be redirected to the previously requested page that required authentication. There is a custom "/login" page specified by loginPage(), and everyone is allowed to view it.

As for the configureGlobal(AuthenticationManagerBuilder) method, it sets up an in-memory user store with a single user. That user is given a username of "user", a password of "password", and a role of "USER".

Now we need to create the login page. There’s already a view controller for the "login" view, so you only need to create the login view itself:

src/main/resources/templates/login.html

link:complete/src/main/resources/templates/login.html[]

As you can see, this Thymeleaf template simply presents a form that captures a username and password and posts them to "/login". As configured, Spring Security provides a filter that intercepts that request and authenticates the user. If the user fails to authenticate, the page is redirected to "/login?error" and our page displays the appropriate error message. Upon successfully signing out, our application is sent to "/login?logout" and our page displays the appropriate success message.

Last we need to provide the user a way to display the current username and Sign Out. Update the hello.html to say hello to the current user and contain a "Sign Out" form as shown below

src/main/resources/templates/hello.html

link:complete/src/main/resources/templates/hello.html[]

We display the username by using Spring Security’s integration with HttpServletRequest#getRemoteUser(). The "Sign Out" form submits a POST to "/logout". Upon successfully logging out it will redirect the user to "/login?logout".

Make the application executable

Although it is possible to package this service as a traditional web application archive or WAR file for deployment to an external application server, the simpler approach demonstrated below creates a standalone application. You package everything in a single, executable JAR file, driven by a good old Java main() method. And along the way, you use Spring’s support for embedding the Tomcat servlet container as the HTTP runtime, instead of deploying to an external instance.

src/main/java/hello/Application.java

link:complete/src/main/java/hello/Application.java[]
... app starts up ...

Once the application starts up, point your browser to http://localhost:8080. You should see the home page:

The application's home page

When you click on the link, it attempts to take you to the greeting page at /hello. But because that page is secured and you have not yet logged in, it takes you to the login page:

The login page
Note
If you jumped down here with the unsecured version, then you won’t see this login page. Feel free to back up and write the rest of the security-based code.

At the login page, sign in as the test user by entering "user" and "password" for the username and password fields, respectively. Once you submit the login form, you are authenticated and then taken to the greeting page:

The secured greeting page

If you click on the "Sign Out" button, your authentication is revoked, and you are returned to the log in page with a message indicating you are logged out.

Summary

Congratulations! You have developed a simple web application that is secured with Spring Security.