Spring Security: Authentication and Authorization Using XML

Concept Overview

Spring provides a configurable framework for implementing authentication and authorization for an application. The security framework provides ways to login and logout from an application. It also provides authentication at view level and method level. What’s more, it can also provide you with a login page! Here are some things that it provides

  • Provide capabilities for login and logout
  • control access to a link based on the role of the user.
  • Provide the ability to hide certain portion of a page if a user does not have appropriate privileges.
  • Link to a database or LDAP for authentication

In this tutorial we will look at declarative security implementation using XML.

The first step is to add the spring security jars to the classpath. The minimal jars are the Core and Configuration modles. The second step is to make the spring security namespace available in the XML. This can be achieved by using http://www.springframewor.org/schema/security/spring-secirty-3.0.xsd. Spring achieves the security by using a ServletFilter. This Filter intercepts all requests and implements the security related tasks. The only filter that needs to be implemented is the DelegatingFilterProxy. This filter delegates the request to instances of java.servlet.Filter.

Sample Program Overview

Lets look at an example that demonstrates spring security using XML. This is a simple example that intercepts a user request and presents a login page. Upon successful login it shows the success page and if unsuccessful, it shows an error message.

Required Libraries
  • aopalliance-1.0.jar
  • aspectjweaver-1.6.10.jar
  • commons-logging-1.1.1.jar
  • embeddedwebserver.jar
  • org.springframework.web.servlet.jar
  • servlet-api-2.5.jar
  • spring-aop-3.0.7.RELEASE.jar
  • spring-asm-3.0.7.RELEASE.jar
  • spring-beans-3.0.7.RELEASE.jar
  • spring-context-3.0.7.RELEASE.jar
  • spring-core-3.0.7.RELEASE.jar
  • spring-expression-3.0.7.RELEASE.jar
  • spring-jdbc-3.0.7.RELEASE.jar
  • spring-security-config-3.1.4.RELEASE.jar
  • spring-security-core-3.1.4.RELEASE.jar
  • spring-security-web-3.1.4.RELEASE.jar
  • spring-tx-3.0.7.RELEASE.jar
  • spring-web-3.0.7.RELEASE.jar

Code Package Structure

Interaction Flow

  1. User accesses a URL on a web application
  2. The web application refers to web.xml
  3. The web.xml matches the URL pattern
  4. The control is redirected to DispatcherServlet in Spring framework
  5. Spring framework finds that the all URLs are secured and hence displays login page to the user
  6. The user enters his login name and password
  7. Spring framework validates the login name and password by using the entries in Spring configuration XML and redirects to the accessed original URL

Source Code

Create the main_page.jsp as shown below. This page is accessed by the end user and is displayed after successful login.

Note that this is the only JSP page required for this sample. No explicit coding is required to display Spring’s in-built login page.

Create the web.xml file as shown below.

Register Spring’s DispatcherServlet used to register handlers for processing the web request (see lines 29-38 below).

Define filter-mapping and filter for DelegatingFilterProxy (see lines 15-23 below). This filter shall delegate the call to a class that implements
and is registered as Spring bean.

Note: In this example we do not have to specifically create a class that implements
. This is automatically available to us when we configure our Spring configuration file using
in springsecurity-servlet.xml file
described later

Also configure that ContextLoaderListener (see lines 25-27 below).

Finally provide the location of Spring’s configuration file in web.xml (see lines 10-13 below).

Create the Spring configuration file as shown below.

Configure Spring security using
tag (see lines 15-17 below).

Specify that all URLs should be intercepted by Spring security (see
attribute in line 16 below).

Also specify that access should be restricted only to those users who have the role
attribute on line 16).

Specify the authentication and authorization credentials for valid users (see lines 19-25 below). Note in particular the
tag using which the name, password and authorization role for a user is specified (see line 22 below).

This demonstrates the usage of specifying authentication and authorization information in Spring XML file.

Running Sample Program

This sample program has been packaged as a jar installer which will copy the source code (along with all necessary dependencies)on your machine and automatically run the program for you as shown in the steps below. As this sample program contains Java Server Pages (JSPs), you will need Java Development Kit (JDK preferably 1.5 or higher) on your machine so that the JSPs can be complied locally. Note that no other setup is required on your machine! Also please ensure that the port 8080 is not being used by any other program on your machine.

Download And Automatically Run Sample Program
  • Save the springsecurityusingxml-installer.jar on your machine
  • Execute/Run the jar using Java Runtime Environment

  • (Alternatively you can go the folder containing the springsecurityusingxml-installer.jar and execute the jar using
    java -jar springsecurityusingxml-installer.jar

  • You will see a wizard as shown below. Enter the location of Java Development Kit (JDK) and Click ‘Next’ button.
  • You will see a wizard page as shown below
  • Enter the location of the directory where you want the program to install and run (say, C:\Temp)
  • The installer will copy the program on your machine and automatically start the inbuilt webserver on your machine.
  • Go to the URL http://localhost:8080/springsecurityusingxml/jsp/main_page.jsp. A login page will be displayed as shown below
  • Enter some invalid credentials (e.g. user as ‘beta’ and password as ‘abcd’) as shown below
  • Click the Login button. The login page will be displayed with a ‘bad credentials’ message as shown below
  • Now enter some the credentials (e.g. user as ‘alpha’ and password as ‘pass1’) as shown below
  • Click the Login button. The user will be authenticated successfully and the main page will successfully displayed to him based on his authorizations as shown below
  • This demonstrates the successful execution of the sample program on your machine
  • Browsing the Program

    This source code for this program is downloaded in the folder specified by you (say, C:\Temp) as an eclipse project called
    . All the required libraries have also been downloaded and placed in the same location. You can open this project from Eclipe IDE and directly browse the source code. See below for details of the project structure.

    Redeploying this sample program in a different web server

    The WAR file for this example is available as springsecurityusingxml.war in the download folder specified by you earlier (e.g. C:\Temp). The path for the WAR file is <DOWNLOAD_FOLDER_PATH>/springsecurityusingxml/dist/springsecurityusingxml.war.

    This WAR file can be deployed in any webserver of your choice and example can be executed.

    3 thoughts on “Spring Security: Authentication and Authorization Using XML

    • January 14, 2017 at 9:50 am

      Where do I find the source code ?

    • September 28, 2017 at 7:00 am

      Where do i find the Source Code

    • October 24, 2017 at 7:21 am

      hi Mithil,

      I too have the same question – can you tell us where the source code is? I checked your github repository but did not find it there. It will be of great help if you can add the code for these articles on github.



    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.