Java example to enable spring security java configuration with the help of @EnableWebSecurity annotation and WebSecurityConfigurerAdapter class.
This example is built on top of spring webmvc hibernate integration example.
1. Include spring security 5 dependencies
Include spring security jars. I am using maven so added respective dependencies for spring security 5.
<properties>
<failOnMissingWebXml>false</failOnMissingWebXml>
<spring.version>5.0.7.RELEASE</spring.version>
</properties>
<!-- Spring MVC Dependency -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Spring Security Core -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Spring Security Config -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Spring Security Web -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.version}</version>
</dependency>
2. Create Spring Security 5 Configuration – @EnableWebSecurity
I have created this simple security configuration and added two demo users ‘user‘ and ‘admin‘.
package com.howtodoinjava.demo.spring.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
PasswordEncoder passwordEncoder;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.passwordEncoder(passwordEncoder)
.withUser("user").password(passwordEncoder.encode("123456")).roles("USER")
.and()
.withUser("admin").password(passwordEncoder.encode("123456")).roles("USER", "ADMIN");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/**").hasAnyRole("ADMIN", "USER")
.and().formLogin()
.and().logout().logoutSuccessUrl("/login").permitAll()
.and().csrf().disable();
}
}
3. Initialize spring security
In Spring, security is implemented using DelegatingFilterProxy. To register it, with spring container in Java configuration, you shall use AbstractSecurityWebApplicationInitializer.
The spring will detect the instance of this class during application startup, and register the DelegatingFilterProxy to use the springSecurityFilterChain before any other registered Filter. It also register a ContextLoaderListener.
package com.howtodoinjava.demo.spring.config;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
//no code needed
}
Also, include SecurityConfig to AppInitializer.
package com.howtodoinjava.demo.spring.config;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
public class AppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { HibernateConfig.class, SecurityConfig.class };
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[] { WebMvcConfig.class };
}
@Override
protected String[] getServletMappings() {
return new String[] { "/" };
}
}
4. Verify Security
Start the application and launch home page. You will be given a login page. It means spring security is configured and working correctly.
Login with username/password – ‘user’ and ‘123456’
Happy Learning !!
Seetesh
@EnableWebSecurity is not found in any of the 3 jars.
spring-security-config-5.0.7.RELEASE
spring-security-core-5.0.7.RELEASE
spring-security-web-5.0.7.RELEASE
Seetesh
Spring version is 5.2.5
Lokesh Gupta
It is available since 3.2
Dishi
Hi, after adding spring securities I am getting classpath errors. Even after adding bom dependency I am unable to resolve them. Can you help? The spring version is 4.3.24 and security version is 5.1.6
mamad
hi, very well. thankyou
please add “JWT integrated with Spring 5” project