Spring Security 5 – Java Config

Last Updated:
By: Lokesh Gupta
Spring 5 Security
Spring Configuration

Java example to enable spring security java configuration with the help of @EnableWebSecurity annotation and WebSecurityConfigurerAdapter class.

This example is built on top of spring webmvc hibernate integration example.

1. Include spring security 5 dependencies

Include spring security jars. I am using maven so added respective dependencies for spring security 5.

<properties>
		<failOnMissingWebXml>false</failOnMissingWebXml>
		<spring.version>5.0.7.RELEASE</spring.version>
</properties>	

<!-- Spring MVC Dependency -->
<dependency>
	<groupId>org.springframework</groupId>
	<artifactId>spring-webmvc</artifactId>
	<version>${spring.version}</version>
</dependency>

<!-- Spring Security Core -->
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-core</artifactId>
	<version>${spring.version}</version>
</dependency>

<!-- Spring Security Config -->
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-config</artifactId>
	<version>${spring.version}</version>
</dependency>

<!-- Spring Security Web -->
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-web</artifactId>
	<version>${spring.version}</version>
</dependency>

2. Create Spring Security 5 Configuration – @EnableWebSecurity

I have created this simple security configuration and added two demo users ‘user‘ and ‘admin‘.

package com.howtodoinjava.demo.spring.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

	@Autowired
	PasswordEncoder passwordEncoder;

	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication()
		.passwordEncoder(passwordEncoder)
		.withUser("user").password(passwordEncoder.encode("123456")).roles("USER")
		.and()
		.withUser("admin").password(passwordEncoder.encode("123456")).roles("USER", "ADMIN");
	}

	@Bean
	public PasswordEncoder passwordEncoder() {
		return new BCryptPasswordEncoder();
	}

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests()
		.antMatchers("/login").permitAll()
		.antMatchers("/admin/**").hasRole("ADMIN")
		.antMatchers("/**").hasAnyRole("ADMIN", "USER")
		.and().formLogin()
		.and().logout().logoutSuccessUrl("/login").permitAll()
		.and().csrf().disable();
	}
}

3. Initialize spring security

In Spring, security is implemented using DelegatingFilterProxy. To register it, with spring container in Java configuration, you shall use AbstractSecurityWebApplicationInitializer.

The spring will detect the instance of this class during application startup, and register the DelegatingFilterProxy to use the springSecurityFilterChain before any other registered Filter. It also register a ContextLoaderListener.

package com.howtodoinjava.demo.spring.config;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
	//no code needed
}

Also, include SecurityConfig to AppInitializer.

package com.howtodoinjava.demo.spring.config;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

public class AppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

   @Override
   protected Class<?>[] getRootConfigClasses() {
      return new Class[] { HibernateConfig.class, SecurityConfig.class };
   }

   @Override
   protected Class<?>[] getServletConfigClasses() {
      return new Class[] { WebMvcConfig.class };
   }

   @Override
   protected String[] getServletMappings() {
      return new String[] { "/" };
   }
}

4. Verify Security

Start the application and launch home page. You will be given a login page. It means spring security is configured and working correctly.

Login Form
Login Form

Login with username/password – ‘user’ and ‘123456’

Login Success
Login Success

Happy Learning !!

Sourcecode Download

Was this post helpful?

Recommended Reading:

  1. Spring Security Form Login Example
  2. Spring @Configuration annotation example
  3. Spring version-less schema for latest version
  4. 13 Spring Best Practices for Writing Configuration Files
  5. Spring static factory-method example
  6. Spring – Application events
  7. Spring Property Editor – CustomEditorConfigurer Example
  8. Spring Boot – Custom PropertyEditor Configuration Example
  9. Spring Boot – Embedded Tomcat Configuration
  10. Configuring Properties with Spring Boot

Join 7000+ Awesome Developers

Get the latest updates from industry, awesome resources, blog updates and much more.

* We do not spam !!

5 thoughts on “Spring Security 5 – Java Config”

  1. @EnableWebSecurity is not found in any of the 3 jars.
    spring-security-config-5.0.7.RELEASE
    spring-security-core-5.0.7.RELEASE
    spring-security-web-5.0.7.RELEASE

    Reply

  2. Hi, after adding spring securities I am getting classpath errors. Even after adding bom dependency I am unable to resolve them. Can you help? The spring version is 4.3.24 and security version is 5.1.6

    Reply

Leave a Comment

HowToDoInJava

A blog about Java and related technologies, the best practices, algorithms, and interview questions.

Meta Links

About Me

Contact Us

Privacy policy

Advertise

Guest Posts

Blogs

REST API Tutorial