Spring Security Form based Authentication – Annotations

In my previous tutorial, I have shown Spring Security Form based Authentication – XML Configuration but in this tutorial I will show you annotations way to configure Spring Security with Spring MVC web application to secure pages. I will create spring mvc based web application and I will configure Spring Security to protect a page from outside access.

Spring Security allows to you to integrate security features with JEE web application easily, it takes care about all incoming HTTP requests via servlet filter, and implements “user defined” security checking.

In this tutorial, I will show you how to integrate Spring Security 4.2.1 with Spring MVC4 web application to secure URL access.
For this tutorial I will create maven based web project in Eclipse.


The following configurations are required in order to run the application

Eclipse Kepler
JDK 1.8
Tomcat 8
Have maven 3 installed and configured
Spring mvc 4 dependencies in pom.xml
Spring security 4 dependencies in pom.xml

Now we will see the below steps how to create a maven based project in Eclipse

Step 1. Create a maven based web project in Eclipse

Go to File -> New -> Other. On popup window under Maven select Maven Project. Then click on Next. Select the workspace location – either default or browse the location. Click on Next. Now in next window select the row as highlighted from the below list of archtypes and click on Next button.


Now enter the required fields (Group Id, Artifact Id) as shown below

Group Id : com.roytuts
Artifact Id : spring-security

Step 2. Modify the pom.xml file as shown below.

The minimal dependency artifacts required for Spring Security are spring-security-web and spring-security-config.

In the above pom.xml file you notice additional plugin for failOnMissingWebXml configuration is required because we are going to write Java code purely based on annotations, so we will delete the web.xml file from WEB-INF directory.

Step 3. If you see JRE System Library[J2SE-1.5] then change the version by below process

Do right-click on the project and go to Build -> Configure build path, under Libraries tab click on JRE System Library[J2SE-1.5], click on Edit button and select the appropriate jdk 1.8 from the next window. Click on Finish then Ok.

Step 4. Now when the build process finished then delete the web.xml file from WEB-INF directory. Instead we will create below two classes which are equivalent to whatever were there in web.xml file

The above class declared Spring MVC DispatcherServlet, that acts as a front controller to handle incoming request and response for the URL pattern "/". This is equivalent to declaring DispatcherServlet in web.xml file in my tutorial Spring Security Form based Authentication – XML Configuration

I have also loaded config classes WebSecurityConfig.class and WebMvcConfic.class, that are equivalent to security.xml and controllers.xml configurations in my tutorial Spring Security Form based Authentication – XML Configuration

The above class is equivalent to add the filter declaration DelegatingFilterProxy to your web.xml file.

This provides a hook into the Spring Security web infrastructure. DelegatingFilterProxy is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your application context. In this case, the bean is named springSecurityFilterChain, which is an internal infrastructure bean created by the namespace to handle web security. Note that you should not use this bean name yourself.

Step 5. Create below WebSecurityConfig.java that is equivalent to security.xml file under src/main/resources directory in my tutorial Spring Security Form based Authentication – XML Configuration

Step 6. Create below WebMvcConfig.java that is equivalent to controllers.xml file under src/main/resources directory in my tutorial Spring Security Form based Authentication – XML Configuration

The annotation @EnableWebMvc is equivalent to <mvc:annotation-driven /> to work with annotations in Spring MVC.

The addResourceHandlers() acts in the similar way as <mvc:resources location="/static/" mapping="/static/**" /> to load static resources from static directory.

The annotation @ComponentScan is equivalent to <context:component-scan/> to load all annotation-driven controllers from the given base package.

I have also declared view resolver bean and message resource for i18n supports.

Step 7. Create below messages.properties file with below content and put it under src/main/resources folder

Step 8. Create below controller with below source

Step 9. We need some style, so create the below style.css file and put it under webapp/static/css directory

Step 10. Below is the index.jsp file and put it under webapp/views directory and see how keys are used to fetch corresponding value from messages.properties file. This index.jsp file is not secured and is accessible directly.

Step 11. Below admin.jsp file in webapp/views directory is secured and user must login before viewing the content of this file. When you try to access the admin.jsp file then you will automatically be redirected to the login.jsp file.

Step 12. The content of the login.jsp file under webapp/views directory.

Step 13. When you deploy the application and run the application you will see different output in the browser.

When you hit the URL http://localhost:8080/spring-security/

The page title you should see as Spring Security Basic (Annotations) instead of Spring Security Basic (XML)

spring security

When you click on link Go to Administrator page

spring security

When you click on Submit button without giving any credentials or wrong credentials

spring security

When you give username/password as roy/roy

spring security

When you click on Logout link

spring security

Thanks for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.