Let’s begin

Spring security is a standard for securing Spring-based applications. It is a framework that focuses on providing both authentication and authorization to Java applications.

By the following step we will learn how to secure an application in a basic way.

Let’s bootstrap the tutorial !

First step, bootstrap you application with spring initializr : https://start.spring.io/

We will create a new maven project, with spring boot version 2.4.2 (last release at the moment of this tutorial). And the project will be run with java 11, but no problem if you use java 8 or java 15.

Now let’s generate the project directory




Open the project with your IDE. In the pom.xml you will find the dependencies for the spring starter web.

Copy to Clipboard

The project has only the simple main class to run the spring boot application

Copy to Clipboard

Create a first resource to simulate access to some data. To do this, we will create a restController to retrieve a list of movie.

First, we will create the entity for reprensenting Movie object. Create a package domain, inside it add the Movie entity class.

Copy to Clipboard

Now create a package called controller and add a new java class movieController.

Copy to Clipboard

If you run the application and go to http://localhost:8080/api/v1/movies/1  you will see the result for the Tenet movie

Security, where ?

Till now, we don’t speak about security. No time to waste, let’s add security to our application.

Add the spring boot starter security to our pom.xml

Copy to Clipboard

Restart your application and go back to the API where we have the end point that give us the information on the movie number 1. Refresh the page and .. magic, we have an authentication form ! it redirect automatically to localhost:8080/login to display a login form based authentication.

if it doesn’t work at the first time, try to reimport changes by maven. With intellij you have the option to enable auto import

If you want to access to the previous page the default login is user and the password … hmmm where is this password ? The password is generated at the run of the application you can find it in the console log of your IDE. And now we are login to the application.

but we didn’t add this authentication form ?  right ? but ..

It’s there that spring security is awesome. Without any configuration, it gives us a basic authentication form to access to our application.

Use Form Based Auth

To login our application we can access to the login page by going to …/login page or by going to the link a defined endpoint then we will be redirect to the login form page.

But what about logout ? Simply request the page …/logout

Then a page will ask you to click on a buton to logout. That’s it !

You will be redirect to the login page and notify that you are logout.

If you request again your api, the browser redirect also to the login page as you are not anymore signin to the application.

Behind the scene

If we take a look to the request in the network console of the chrome devTool, we will see the request when you are signin.

We can see details of the request. This is a POST request, the status code, some response headers, request headers but what I want to show you is the Form Data part. It is the actual payload which is sent to out backend. we can see the username and password value and also another key _csrf that we will see later what it is.

Implement Basic Auth

We will now learn how to change from form based auth to basic auth.

First let’s create a new package, called, i.e configuration. Create a java class SecurityConfiguration.

Annoted this class with @Configuration and @EnableWebSecurity

Extends the class WebSecurityConfigurerAdapter. By extending this adapter, we have several method we can override. In first, override the method configure with param HttpSecurity class.

Copy to Clipboard

What we will do now is configure the security to authorized any request should be authenticated with an username and password.

remove the line in the configure method and use http object to make the configuration.

Copy to Clipboard

line 2 indicate that we want to authorized requests.

line 3 indicate for  which request, here any request will be restricted.

line 4 we specified we want that requests has to be authenticated.

line 5 and line 6 add the mechanism type of the authentication.

Restart your application and refresh the page to access to the detail of our movie number one.

Now the form for the authentication is not anymore display, login and password is now request with a popup.

Enter the user as login and the password generated by spring (you can find it in the console log)

You are now redirect to the page with the details on the movie number 2.

Now logout with the link localhost:8080/logout … but wait it is not working anymore ???

We received an error page that notify :

This application has no explicit mapping for /error, so you are seeing this as a fallback.

This is because spring control each request, login and password should be validate for all the page.

If you go back to the previous page you will be able to access to the detail of the movie number 2.

Next we will see how to implement all of this.