Spring Security was created to solve a very common problem for web application developers:
“How can I make sure that ONLY people who have paid/signed-up for my web application have access to my web application?”
This is what Spring Security is all about, it provides an easy way for you to “secure” the access to your Spring application.
What does that mean exactly? Well let’s say for instance that you have an information product like Java Video Tutorials, and all of your content is available via a particular URL. You want to make sure that ONLY the people who have signed up can gain access to that particular URL. This means that anybody who has NOT signed up (and logged in) that tries to access this particular URL will be redirected AWAY from that special content and instead asked to log in.
How to integrate Spring Security
The first thing you need to do is to make sure that your application already uses the Spring Framework (as that’s a dependency that Spring Security has). This means that if you do NOT have a Spring enabled web application, then you won’t get much mileage out of Spring Security.
If you’ve got a Spring enabled web application, then you’re good to go for setting up Spring Security.
You’ll need to import the Spring Security library files and dependencies. As I mentioned in the podcast, I recommend using Maven for this task. Here are the dependencies that I use in my products:
org.springframework.security spring-security-taglibs 3.1.0.RELEASE org.springframework.security spring-security-core 3.1.0.RELEASE org.springframework.security spring-security-config 3.1.0.RELEASE org.springframework.security spring-security-web 3.1.0.RELEASE
The next thing you’ll need to do is to modify your
web.xml file. You’ll need to add in a filter that will allow all the requests to be filtered through the Spring Security code. This is because Spring Security uses URLs are the basis for how it secures access to your web application. Therefore it makes sense that you’ll need to make sure that Spring Security has access to all the requests that come into your web application.
Here’s what you’ll need to add to your
springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /*
I usually put this stuff in just below the
contextConfigLocation context parameter.
Create a new
applicationContext-security.xml file and place it in with your existing
applicationContext.xml file, usually located in the root of the
Note: I’m lazy and just placed my Spring Security configuration info directly in my
applicationContext.xml file. Best practices state that you should have a separation of these “concerns” for <sarcasm>optimal “internal happiness and self-worth”.</sarcasm>
Populate your new
applicationContext-security.xml file with your ideal security settings.
Here’s an example of my set up for Java Video Tutorials (as mentioned in the podcast):
Note: since I have my spring security configuration setup in my existing
applicationContext.xml file, I need to prefix everything with
<security:, I accomplish this by adding the appropriate name space in the header of the
When looking at the specific example I posted above, you’ll notice that I make reference to
authentication-failure-handler-ref. I use these two handlers so that I can have custom code to access my database when people try to login. This particular setup is outside the scope of this current conversation and I’ll be creating a much more complete tutorial/course on how to integrate Spring Security with access to a database for authentication in the future. As I mentioned in the podcast I’ll be linking this up to https://howtoprogramwithjava.com/spring-security so that you’ll have an opportunity to see exactly how to accomplish this task.
For now I just want you all to know that there’s a fairly easy to use solution out there already for adding a layer of security access to your web applications, so there’s no need to try and re-invent the wheel by creating your own custom solution!