baeldung - Coding and Testing Stuff: Introduction to Java Config for Spring Secu ...

The Master Class of " Learn Spring Security " is out:

>> CHECK OUT THE COURSE

1. Overview

This article is anintroduction to Java configuration for Spring Security which enables users to easily configure Spring Security without the use of XML .

Java configuration was added to the Spring framework in Spring 3.1 and extended toSpring Security in Spring 3.2 andis defined in a class annotated @Configuration .

2. Maven Setup

To use Spring Securityin a Maven projects, we first need to have the spring-security-core dependency in the project pom.xml :

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.1.3.RELEASE</version>
</dependency>

The latest version can always be found here .

3.Web Security with Java Configuration

Let’s start with a basic example of a Spring Security Java configuration:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("user")
.password("password").roles("USER");
}
}

As you may have noticed, the configuration sets up a basic in-memory authentication config.

4. HTTPSecurity

To enable HTTPSecurity in Spring, we need to extend the WebSecurityConfigurerAdapter to provide a default configuration in the configure(HttpSecurity http) method:

protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic();
}

The above default configuration makes sure any request to the application isauthenticated with form based login or HTTP basic authentication.

Also, it is exactly similar to the following XML configuration:

<http>
<intercept-url pattern="/**" access="authenticated"/>
<form-login />
<http-basic />
</http> 5. Form Login

Interestingly, Spring Security generates a login pageautomatically, based on the features that are enabled and using standard values for the URL which processes the submitted login:

protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and().formLogin()
.loginPage("/login").permitAll();
}

Here theautomatically generated login page is convenient to get up and running quickly.

6. Authorization with Roles

Let’s now configure some simple authorization on each URL using roles:

protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/home").access("hasRole('USER')")
.antMatchers("/admin/**").hasRole("ADMIN")
.and()
// some more method calls
.formLogin();
}

Notice how we’re using both the type-safe API hasRole but also the expression based API, via access.

7. Logout

As many other aspects of Spring Security, logout has some great defaults provided by the framework.

By default, a logout request invalidates the session, clears any authentication caches, clears the SecurityContextHolder and redirects to login page.

Here is asimple logout config: protected void configure(HttpSecurity http) throws Exception {
http.logout();
}

However, if you want to getmore control over the available handlers, here’s what a more complete implementation will look like:

protected void configure(HttpSecurity http) throws Exception {
http.logout().logoutUrl("/my/logout")
.logoutSuccessUrl("/my/index")
.logoutSuccessHandler(logoutSuccessHandler)
.invalidateHttpSession(true)
.addLogoutHandler(logoutHandler)
.deleteCookies(cookieNamesToClear)
.and()
// some other method calls
} 8.Authentication

Let’s have a look at another way of allowing authentication with Spring Security.

8.1. In-Memory Authentication

We’ll start with a simple, in-memory configuration:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER")
.and()
.withUser("admin").password("password").roles("USER", "ADMIN");
} 8.2. JDBC Authentication

To move that to JDBC, all you have to do is todefine a data source within the application and use that directly:

@Autowired
private DataSource dataSource;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.withDefaultSchema()
.withUser("user").password("password").roles("USER")
.and()
.withUser("admin").password("password").roles("USER", "ADMIN");
} 9. Conclusion

In this quick tutorial, we went over the basics of Java Configuration for Spring Security and focused on the code samples that illustrate the simplest configuration scenarios.