Spring Security – Config Security for Web MVC by Spring Boot

Security is an important of a Web Application, So The tutorial will show you way to configure Security for a Web Application with Spring Boot.

Related Articles:
How to use Spring Security JDBC Authentication with PostgreSQL & Spring Boot
Spring Security – Customize Authentication Provider
Spring Security – Customize Login Handler
Spring Security Customize Logout Handler

I. Technology

– Java 1.8
– Maven 3.3.9
– Spring Tool Suite – Version 3.8.1.RELEASE

II. Overview
1. Structure of project

spring security project structure

2. URLs of Web Application

We create a MVC Web Application with 6 url:
– “/”, “/home”: access with everyone.
– “/welcome”: must authenticate and be accessed with user ROLE: USER or ADMIN.
– “/admin”:  accessed by user with Role: Admin.
– “/login”: login page.
– “/403”: HTTP Error 403 Forbidden.

3. Step to do

– Create a Spring Boot project
– Create Controller
– Create View Pages
– Configure WebSecurity

III. Practice
1. Create Spring Boot Project (add Spring Security dependency)

Open Spring Tool Suite, File->New->Spring Starter ProjectNew Spring Starter Project is open, input info about project.

Press Next button, add needed dependencies:
– For Security, choose Core -> select: Security
– For Template Engines, choose Template Engines->select: Thymeleaf.
– For Web MVC, choose Web -> select: Web

java design pattern abstract factory project structure add dependencies

Press Finish -> Spring Boot Project will create successful.

Open pom.xml and check dependencies:

2. Create Controller

Create a simple MVC Controller with 6 url:

– “/”, “home” -> return: home.html page
– “/welcome” -> return: welcome.html page
– “/admin” -> return: admin.html page
– “/login” -> return: login.html page
– “/403” -> return 403.html page

3. Create page views

– Create home.html page
Home page has a Button that navigates to Welcome Page.

– Create WelcomePage: welcome.html
Welcome page is a protect by security, So we need login before go to Welcome. For logout purpose, Welcome page is design with a logout button.

– Create Admin Page: admin.html
Admin Page is accessed with Admin users.
It is design like Welcome page with a logout button.

– Spring provides a default login pages, but we can customize a login.html page as below:

– Create an access denied pages: 403.html
If an user try to access url but Not has permission, our web app will redirect to 403.html for notified message.

4. Security Configuration

Use WebSecurityConfigurerAdapter for security configuration.WebSecurityConfigurerAdapter: provides a convenient base class for creating a WebSecurityConfigurer instance.

The implementation allows customization by overriding methods.
Web application has 2 user:
– Admin: admin/admin
– User: user/user

IV. Sourcecode


By JavaSampleApproach | October 15, 2016.

Last updated on September 28, 2017.

Related Posts

Got Something To Say:

Your email address will not be published. Required fields are marked *