spring-guides/gs-securing-web spring-guides/gs-securing-web

  • Stars
    star
    351
  • Rank 120,906 (Top 3 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 11 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
spring-guides/gs-securing-web
github

spring-guides

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Securing a Web Application :: Learn how to protect your web application with Spring Security.
Table of Contents

This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security.

What You Will Build

You will build a Spring MVC application that secures the page with a login form that is backed by a fixed list of users.

Starting with Spring Initializr

You can use this pre-initialized project and click Generate to download a ZIP file. This project is configured to fit the examples in this tutorial.

To manually initialize the project:

  1. Navigate to https://start.spring.io. This service pulls in all the dependencies you need for an application and does most of the setup for you.

  2. Choose either Gradle or Maven and the language you want to use. This guide assumes that you chose Java.

  3. Click Dependencies and select Spring Web and Thymeleaf.

  4. Click Generate.

  5. Download the resulting ZIP file, which is an archive of a web application that is configured with your choices.

Note
 If your IDE has the Spring Initializr integration, you can complete this process from your IDE.
Note
 You can also fork the project from Github and open it in your IDE or other editor.

Create an Unsecured Web Application

Before you can apply security to a web application, you need a web application to secure. This section walks you through creating a simple web application. Then you will secure it with Spring Security in the next section.

The web application includes two simple views: a home page and a β€œHello, World” page. The home page is defined in the following Thymeleaf template (from src/main/resources/templates/home.html):

link:initial/src/main/resources/templates/home.html[]

This simple view includes a link to the /hello page, which is defined in the following Thymeleaf template (from src/main/resources/templates/hello.html):

link:initial/src/main/resources/templates/hello.html[]

The web application is based on Spring MVC. As a result, you need to configure Spring MVC and set up view controllers to expose these templates. The following listing (from src/main/java/com/example/securingweb/MvcConfig.java) shows a class that configures Spring MVC in the application:

link:initial/src/main/java/com/example/securingweb/MvcConfig.java[]

The addViewControllers() method (which overrides the method of the same name in WebMvcConfigurer) adds four view controllers. Two of the view controllers reference the view whose name is home (defined in home.html), and another references the view named hello (defined in hello.html). The fourth view controller references another view named login. You will create that view in the next section.

At this point, you could jump ahead to β€œRun the Application” and run the application without having to log in to anything.

Now that you have an unsecured web application, you can add security to it.

Set up Spring Security

Suppose that you want to prevent unauthorized users from viewing the greeting page at /hello. As it is now, if visitors click the link on the home page, they see the greeting with no barriers to stop them. You need to add a barrier that forces the visitor to sign in before they can see that page.

You do that by configuring Spring Security in the application. If Spring Security is on the classpath, Spring Boot automatically secures all HTTP endpoints with β€œbasic” authentication. However, you can further customize the security settings. The first thing you need to do is add Spring Security to the classpath.

With Gradle, you need to add three lines (one for the application, one for Thymeleaf & Spring Security integration, and one for testing) in the dependencies closure in build.gradle, as the following listing shows:

link:complete/build.gradle[]

The following listing shows the finished build.gradle file:

link:complete/build.gradle[]

With Maven, you need to add two extra entries (one for the application and one for testing) to the <dependencies> element in pom.xml, as the following listing shows:

link:complete/pom.xml[]

The following listing shows the finished pom.xml file:

link:complete/pom.xml[]

The following security configuration (from src/main/java/com/example/securingweb/WebSecurityConfig.java) ensures that only authenticated users can see the secret greeting:

link:complete/src/main/java/com/example/securingweb/WebSecurityConfig.java[]

The WebSecurityConfig class is annotated with @EnableWebSecurity to enable Spring Security’s web security support and provide the Spring MVC integration. It also exposes two beans to set some specifics for the web security configuration:

The SecurityFilterChain bean defines which URL paths should be secured and which should not. Specifically, the / and /home paths are configured to not require any authentication. All other paths must be authenticated.

When a user successfully logs in, they are redirected to the previously requested page that required authentication. There is a custom /login page (which is specified by loginPage()), and everyone is allowed to view it.

The UserDetailsService bean sets up an in-memory user store with a single user. That user is given a user name of user, a password of password, and a role of USER.

Now you need to create the login page. There is already a view controller for the login view, so you need only to create the login view itself, as the following listing (from src/main/resources/templates/login.html) shows:

link:complete/src/main/resources/templates/login.html[]

This Thymeleaf template presents a form that captures a username and password and posts them to /login. As configured, Spring Security provides a filter that intercepts that request and authenticates the user. If the user fails to authenticate, the page is redirected to /login?error, and your page displays the appropriate error message. Upon successfully signing out, your application is sent to /login?logout, and your page displays the appropriate success message.

Last, you need to provide the visitor a way to display the current user name and sign out. To do so, update the hello.html to say hello to the current user and contain a Sign Out form, as the following listing (from src/main/resources/templates/hello.html) shows:

link:complete/src/main/resources/templates/hello.html[]

We display the username by using Thymeleaf’s integration with Spring Security. The β€œSign Out” form submits a POST to /logout. Upon successfully logging out, it redirects the user to /login?logout.

Note
 Thymeleaf 3.1 no longer provides access to HttpServletRequest so HttpServletRequest#getRemoteUser() cannot be used to access the currently authenticated user.

Run the Application

The Spring Initializr creates an application class for you. In this case, you need not modify the class. The following listing (from src/main/java/com/example/securingweb/SecuringWebApplication.java) shows the application class:

link:complete/src/main/java/com/example/securingweb/SecuringWebApplication.java[]

Once the application starts up, point your browser to http://localhost:8080. You should see the home page, as the following image shows:

The application’s home page

When you click on the link, it attempts to take you to the greeting page at /hello. However, because that page is secured and you have not yet logged in, it takes you to the login page, as the following image shows:

The login page
Note
 If you jumped down here with the unsecured version, you do not see the login page. You should back up and write the rest of the security-based code.

At the login page, sign in as the test user by entering user and password for the username and password fields, respectively. Once you submit the login form, you are authenticated and then taken to the greeting page, as the following image shows:

The secured greeting page

If you click on the Sign Out button, your authentication is revoked, and you are returned to the login page with a message indicating that you are logged out.

Summary

Congratulations! You have developed a simple web application that is secured with Spring Security.

More Repositories

1

tut-spring-security-and-angular-js

Spring Security and Angular:: A tutorial on how to use Spring Security with a single page application with various backend architectures, ranging from a simple single server to an API gateway with OAuth2 authentication.
TypeScript
1,695
star
2

gs-rest-service

Building a RESTful Web Service :: Learn how to create a RESTful web service with Spring.
Java
1,391
star
3

tut-spring-boot-kotlin

Building web applications with Spring Boot and Kotlin :: Learn how to easily build and test web applications with Spring, Kotlin, Junit 5 and JPA
Kotlin
914
star
4

tut-spring-boot-oauth2

Spring Boot and OAuth2:: A tutorial on "social" login and single sign on with Facebook and Github
Java
905
star
5

gs-spring-boot

Building an Application with Spring Boot :: Learn how to build an application with minimal configuration.
Java
897
star
6

tut-react-and-spring-data-rest

React.js and Spring Data REST :: A tutorial based on the 5-part blog series by Greg Turnquist
JavaScript
884
star
7

gs-spring-boot-docker

Spring Boot with Docker :: Learn how to create a Docker container from a Spring Boot application with Maven or Gradle
Java
619
star
8

gs-messaging-stomp-websocket

Using WebSocket to build an interactive web application :: Learn how to the send and receive messages between a browser and the server over a WebSocket
Java
528
star
9

getting-started-guides

Getting Started Guide template :: The template for new guides and also the place to request them.
Java
519
star
10

tut-rest

Building REST services with Spring :: Learn how to easily build RESTful services with Spring
Java
516
star
11

gs-uploading-files

Uploading Files :: Learn how to build a Spring application that accepts multi-part file uploads.
Java
471
star
12

gs-multi-module

Creating a Multi Module Project :: Learn how to build a library and package it for consumption in a Spring Boot application
Java
329
star
13

gs-serving-web-content

Serving Web Content with Spring MVC :: Learn how to create a web page with Spring MVC and Thymeleaf.
Java
275
star
14

gs-batch-processing

Creating a Batch Service :: Learn how to create a basic batch-driven solution.
Java
243
star
15

gs-accessing-data-jpa

Accessing Data with JPA :: Learn how to work with JPA data persistence using Spring Data JPA.
Java
229
star
16

top-spring-security-architecture

Spring Security Architecture:: Topical guide to Spring Security, how the bits fit together and how they interact with Spring Boot
226
star
17

gs-consuming-rest

Consuming a RESTful Web Service :: Learn how to retrieve web page data with Spring's RestTemplate.
Java
195
star
18

gs-accessing-data-mysql

Accessing data with MySQL :: Learn how to set up and manage user accounts on MySQL and how to configure Spring Boot to connect to it at runtime.
Java
192
star
19

gs-messaging-rabbitmq

Messaging with RabbitMQ :: Learn how to create a simple publish-and-subscribe application with Spring and RabbitMQ.
Java
183
star
20

gs-testing-web

Testing the Web Layer :: Learn how to test Spring Boot applications and MVC controllers.
Java
178
star
21

gs-maven

Building Java Projects with Maven :: Learn how to build a Java project with Maven.
Java
165
star
22

gs-reactive-rest-service

Building a Reactive RESTful Web Service :: Learn how to create a RESTful web service with Reactive Spring and consume it with WebClient.
Java
162
star
23

gs-gradle

Building Java Projects with Gradle :: Learn how to build a Java project with Gradle.
Java
161
star
24

gs-producing-web-service

Producing a SOAP web service :: Learn how to create a SOAP-based web service with Spring.
Java
153
star
25

gs-service-registration-and-discovery

Service Registration and Discovery :: Learn how to register and find services with Eureka
Java
151
star
26

gs-accessing-data-rest

Accessing JPA Data with REST :: Learn how to work with RESTful, hypermedia-based data persistence using Spring Data REST.
Java
146
star
27

gs-consuming-web-service

Consuming a SOAP web service :: Learn how to create a client that consumes a WSDL-based service
Java
136
star
28

gs-accessing-data-mongodb

Accessing Data with MongoDB :: Learn how to persist data in MongoDB.
Java
135
star
29

gs-scheduling-tasks

Scheduling Tasks :: Learn how to schedule tasks with Spring.
Java
129
star
30

gs-validating-form-input

Validating Form Input :: Learn how to perform form validation with Spring.
Java
124
star
31

gs-rest-service-cors

Enabling Cross Origin Requests for a RESTful Web Service :: Learn how to create a RESTful web service with Spring that support Cross-Origin Resource Sharing (CORS).
Java
110
star
32

gs-crud-with-vaadin

Creating CRUD UI with Vaadin :: Use Vaadin and Spring Data JPA to build a dynamic UI
Java
108
star
33

gs-gateway

Building a Gateway :: Learn how to configure a gateway
Java
106
star
34

gs-authenticating-ldap

Authenticating a User with LDAP :: Learn how to secure an application with LDAP.
Java
97
star
35

gs-messaging-jms

Messaging with JMS :: Learn how to publish and subscribe to messages using a JMS broker.
Java
90
star
36

gs-async-method

Creating Asynchronous Methods :: Learn how to create asynchronous service methods.
Java
86
star
37

gs-relational-data-access

Accessing Relational Data using JDBC with Spring :: Learn how to access relational data with Spring.
Java
80
star
38

gs-messaging-redis

Messaging with Redis :: Learn how to use Redis as a message broker.
Java
80
star
39

gs-actuator-service

Building a RESTful Web Service with Spring Boot Actuator :: Learn how to create a RESTful Web service with Spring Boot Actuator.
Java
74
star
40

gs-rest-hateoas

Building a Hypermedia-Driven RESTful Web Service :: Learn how to create a hypermedia-driven RESTful Web service with Spring.
Java
73
star
41

gs-accessing-mongodb-data-rest

Accessing MongoDB Data with REST :: Learn how to work with RESTful, hypermedia-based data persistence using Spring Data REST.
Java
70
star
42

gs-caching

Caching Data with Spring :: Learn how to cache data in memory with Spring
Java
67
star
43

gs-centralized-configuration

Centralized Configuration :: Learn how to manage application settings from an external, centralized source
Java
58
star
44

gs-accessing-data-r2dbc

Accessing data with R2DBC :: Learn how to access relational data with the reactive protocol R2DBC
Java
47
star
45

gs-spring-boot-kubernetes

Spring Boot Kubernetes :: Deploy a Spring Boot application to Kubernetes :: spring-boot,spring-framework
Java
46
star
46

tut-spring-webflux-kotlin-rsocket

Spring Boot with Kotlin Coroutines and RSocket :: Build a chat application with Reactive Web services from Spring, Kotlin, WebFlux and RSocket
JavaScript
45
star
47

gs-handling-form-submission

Handling Form Submission :: Learn how to create and submit a web form with Spring.
Java
45
star
48

gs-spring-data-reactive-redis

Accessing Data Reactively with Redis :: Learn how to reactively interface with Redis and Spring Data
Java
35
star
49

gs-sts

Working a Getting Started guide with STS :: Learn how to import a Getting Started guide with Spring Tool Suite (STS).
Shell
34
star
50

gs-consuming-rest-angularjs

Consuming a RESTful Web Service with AngularJS :: Learn how to retrieve web page data with AngularJS.
HTML
32
star
51

gs-accessing-data-neo4j

Accessing Data with Neo4j :: Learn how to persist objects and relationships in Neo4j's NoSQL data store.
Java
29
star
52

quoters

Spring Boot quotation service to support REST-based guides
Java
28
star
53

gs-spring-cloud-loadbalancer

Client-Side Load-Balancing with Spring Cloud LoadBalancer :: Dynamically select correct instance for the request :: spring-cloud,spring-cloud-loadbalancer,spring-cloud-commons
Java
28
star
54

gs-convert-jar-to-war

Converting a Spring Boot JAR Application to a WAR :: Learn how to convert your Spring Boot JAR-based application to a WAR file.
Shell
22
star
55

gs-graphql-server

Building a GraphQL service :: Learn how to build a GraphQL service with Spring for GraphQL.
Java
21
star
56

top-spring-on-kubernetes

Spring on Kubernetes :: Topic guide to Spring and Kubernetes
Java
20
star
57

gs-managing-transactions

Managing Transactions :: Learn how to wrap key parts of code with transactions.
Java
19
star
58

gs-messaging-gcp-pubsub

Messaging with Google Cloud Pub/Sub :: Learn how to exchange messages using Spring Integration channel adapters and Google Cloud Pub/Sub
Java
18
star
59

gs-vault-config

Vault Configuration :: Learn how to store and retrieve application configuration details in HashiCorp Vault
Java
16
star
60

getting-started-macros

Collection of macros used to support getting started guides
15
star
61

gs-testing-restdocs

Creating API Documentation with Restdocs :: Learn how to generate documentation for HTTP endpoints using Spring Restdocs
Java
14
star
62

gs-intellij-idea

Working a Getting Started guide with IntelliJ IDEA :: Learn how to work a Getting Started guide with IntelliJ IDEA.
Shell
14
star
63

gs-spring-boot-for-azure

Deploying a Spring Boot app to Azure :: Learn how to deploy a Spring Boot app to Azure.
Shell
14
star
64

gs-contract-rest

Consumer Driven Contracts :: Learn how to with contract stubs and consuming that contract from another Spring application
Java
13
star
65

gs-integration

Integrating Data :: Learn how to build an application that uses Spring Integration to fetch data, process it, and write it to a file.
Java
12
star
66

gs-cloud-circuit-breaker

Spring Cloud Circuit Breaker Guide :: How to Use Spring Cloud Circuit Breaker
Java
12
star
67

gs-accessing-neo4j-data-rest

Accessing Neo4j Data with REST :: Learn how to work with RESTful, hypermedia-based data persistence using Spring Data REST.
Java
11
star
68

gs-consuming-rest-jquery

Consuming a RESTful Web Service with jQuery :: Learn how to retrieve web page data with jQuery.
HTML
10
star
69

gs-caching-gemfire

Caching Data with Pivotal GemFire :: Learn how to cache data in GemFire.
Java
9
star
70

gs-accessing-data-gemfire

Accessing Data in Pivotal GemFire :: Learn how to build an application using Gemfire's data fabric.
Java
9
star
71

gs-accessing-vault

Accessing Vault :: Learn how to use Spring Vault to load secrets from HashiCorp Vault
Java
7
star
72

gs-accessing-gemfire-data-rest

Accessing Data in Pivotal GemFire with REST :: Learn how to work with RESTful, hypermedia-based data persistence using Spring Data REST.
Java
6
star
73

gs-spring-cloud-stream

Spring Cloud Stream :: Learn how to build and test Spring Cloud Stream Applications with RabbitMQ and Apache Kafka
Java
5
star
74

gs-accessing-data-cassandra

Accessing Data with Cassandra :: Learn how to persist data in Cassandra.
Java
5
star
75

issue-aggregator

List issues from multiple GH repo
Kotlin
3
star
76

gs-spring-cloud-task

Spring Cloud Task :: Learn how to build and test Spring Cloud Task Applications
Java
3
star
77

gs-tanzu-observability

Observability with Spring :: Learn how to send application metrics to Tanzu Observability
Java
3
star
78

drone-aggregator

Get a snapshot view of your CI jobs hosted at drone.io
SCSS
2
star
79

gs-sts-cloud-foundry-deployment

Deploying to Cloud Foundry from STS :: Learn how to deploy a Spring application to Cloud Foundry from STS
Shell
2
star
80

gs-guides-with-vscode

Building a Guide with VS Code :: Learn how to import and work with a Spring Getting Started Guide in VS Code.
Shell
2
star
81

gs-spring-cloud-dataflow

Spring Cloud Data Flow :: Learn how to build, deploy and launch streaming and batch data pipelines using Spring Cloud Data Flow
2
star
82

topical-guides

Spring Topical Guides:: The template for new topical guides on spring.io and also the place to request them
2
star
83

top-observing-graphql-in-action

Observing GraphQL in action :: Tutorial on GraphQL and Observability
Java
1
star