Tuesday, December 28, 2010

Spring Security 3 - MVC: Using Native Expression-Based Annotation Tutorial

In this tutorial we will build a simple Spring MVC 3 application and provide security using Spring Security 3. We will use Spring Security's native, expression-based annotation to secure parts of our application. Our users will be authenticated based on Spring's built-in in-memory user-service. This tutorial is exactly similar with Spring Security 3 - MVC: Using @Secured Annotation Tutorial. The main difference is the type of annotations they use.

What is Spring Security?
Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications

Spring Security is one of the most mature and widely used Spring projects. Founded in 2003 and actively maintained by SpringSource since, today it is used to secure numerous demanding environments including government agencies, military applications and central banks. It is released under an Apache 2.0 license so you can confidently use it in your projects.

Source: Spring Security
What is Spring Security's native, expression-based annotation?
From 3.0 you can also make use of new expression-based annotations.

Source: Spring Security 3.1 Reference 2.4 Method Security

Spring Security 3.0 introduced the ability to use Spring EL expressions as an authorization mechanism in addition to the simple use of configuration attributes and access-decision voters which have seen before. Expression-based access control is built on the same architecture but allows complicated boolean logic to be encapsulated in a single expression

Source: Spring Security 3.1 Reference 15. Expression-Based Access Control

There are four annotations which support expression attributes to allow pre and post-invocation authorization checks and also to support filtering of submitted collection arguments or return values. They are @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter. Their use is enabled through the global-method-security namespace element

Source: Spring Security 3.1 Reference 15.3. Method Security Expressions
These annotations allow you to put restrictions in your methods. For example, you can authorize a get() method to be accessible by all registered users. But for the edit() method, you can mark it be accessible by admins only. What's the difference between these annotations and the @Secured? These expression-based annotations allow you to setup complicated logic that's not possible with @Secured alone.

For example, we can mark a method to be accessible only if a certain condition exist:

This expression means allow this method to be accessible only when the person's id is equal to the number 3. It doesn't matter if you're admin or regular user. As long as the id is equal to 3, you're good to go. We'll explore this feature more in our upcoming tutorials.

Let's go back to the main purpose of this tutorial that is to create a Spring MVC application with Spring Security integrated using the native, expression-based annotations. For this matter, we'll focus on the @PreAuthorize because of its similarity with the @Secured.

We'll build first the Spring MVC part of our application, then add Spring Security. Our application has an admin and common pages. It also has a view to show all persons. Only admins can edit a person's record.

Let's declare our primary controller first.


This controller declares two mappings:
/main/common - any registered user can access this page
/main/admin - only admins can access this page
Each mapping will resolve to a specific JSP page. The common JSP page is accessible by everyone, while the admin page is accessible only by admins. Right now, everyone has access to these pages because we haven't enabled Spring Security yet.

Notice we've annotated each method with @PreAuthorize annotation. For the getAdminPage(), we put
and for the getCommonPage(), we put
. Once we activated Spring Security these annotations will take effect.

Here are the JSP pages:



We've finished setting-up the primary controller and the associated JSP views. Now, we add the required XML configurations to enable Spring MVC and Spring Security at the same time.

We start by adding the web.xml:


Notice the url-patterns for the DelegatingFilterProxy and DispatcherServlet. Spring Security is placed at the root-path
Whereas, Spring MVC is placed at a sub-path

We also referenced two important XML configuration files:

spring-security.xml contains configuration related to Spring Security.


The elements are self-documenting. If you're using an IDE, like Eclipse or STS, try pointing your mouse to any of these elements and you will see a short description of the element.

Notice that the bulk of the security configuration is inside the http element. Here's what we observe:

1. We enabled @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter annotations by adding the global-method-security tag:

2. We declared the denied page URL in the
3. We declared the login URL
4. We declared the login failure URL
5. We declared the URL where the user will be redirected if he logs out
6. We declared the logout URL
7. We declared a default authentication-manager that references an in-memory user-service

8. We declared an in-memory user-service:

This basically declares two users with corresponding passwords and authorities. This user-service is a good way to prototype and test a Spring Security application quickly.

9. We also declared an Md5 password encoder:

When a user enters his password, it's plain string. The password we have in our database (in this case, an in-memory lists) is Md5 encoded. In order for Spring to match the passwords, it's need to encode the plain string to Md5. Once it has been encoded, then it can compare passwords.

Compare this configuration with the one declared in Spring Security 3 - MVC: Using a Simple User-Service Tutorial. Our current configuration is missing the following declaration:

We don't need to declare those intercept-urls anymore because we've already annotated the methods that corresponds to those URLs. You can actually mix them if you need to.

Now we need to create a special controller that handles the login and logout requests.


This controller declares two mappings:
/auth/login - shows the login page
/auth/denied - shows the denied access page
Each mapping will resolve to a specific JSP page.

Here are the JSP pages:



That's it. We got a working Spring MVC 3 application that's secured by Spring Security. We've managed to build a simple and quick Spring Security configuration.

To access the common page, enter the following URL:
To access the admin page, enter the following URL:
To login, enter the following URL:
To logout, enter the following URL:
But there's more! Notice we annotated the methods from our controller. What will happen if we annotate the methods of our services instead?

To explore this inquiry, we will provide a hypothetical business scenario. Our client needs to view a list of persons. All registered users can view this list, but only admins can edit it.

We start by declaring a controller.


In this controller we have three mappings:
/main - retrieve all persons
/main/edit/{id} - (GET) retrieve and edit a person by his id 
/main/edit/{id} - (POST) save a person based on his id
Notice we have two /main/edit/{id}. How does our controller know which one to call? The controller's @RequestMapping doesn't just rely on the mapping value but it also uses the method type. In our case, it's either POST or GET. The GET method is used when we retrieve a page; whereas, the POST method is used when we're submitting a form. For more info, please check the following blog from SpringSource Annotated Web MVC Controllers in Spring 2.5.

Also, we're using a special identifier in the mappings. We have declared a {id} in the path, and referenced that as @PathVariable in the method parameter. This is a URI template, one of the RESTful features of Spring 3 MVC.

What is a URI template?
A URI template is a URI-like string, containing one or more variable names. When these variables are substituted for values, the template becomes a URI. For more information, see the proposed RFC.

Source: REST in Spring 3: @MVC
For a thorough description of this subject, please visit the blog from SpringSourceREST in Spring 3: @MVC

It's worth noting that we did not annotate this controller with @Secured annotation.

Let's examine the associated JSP view for each mappings.


This is referenced by the mapping /persons.

To access the persons page, type the following URL in the browser:


This is referenced by the mapping /persons/edit/{id} (GET)

To access the edit page, we need to manually type the following URL in the browser:
Just make sure to change the number to match the id that you want to edit.

Now let's define our service. Remember we referenced a PersonService in the PersonController.


Pay attention to the methods. We've annotated the methods with @PreAuthorize.

getAll() and get() has been assigned with ROLE_USER. This means all registered users can access these methods.

edit() has been assigned with ROLE_ADMIN. This means only admins can access this method.

If you need to test these methods, try logging-in as john (password is admin) and as jane (password is user). Both users can view the list of persons. Both users can access the edit page. But only john can do a successful edit, while jane will get the following message
HTTP Status 405 - Request method 'POST not supported'

The best way to learn further is to try the actual application.

Download the project
You can access the project site at Google's Project Hosting at http://code.google.com/p/spring3-security-mvc-integration-tutorial/

You can download the project as a Maven build. Look for the spring-security-annotation-native.zip in the Download sections.

You can run the project directly using an embedded server via Maven.
For Tomcat: mvn tomcat:run
For Jetty: mvn jetty:run
StumpleUpon DiggIt! Del.icio.us Blinklist Yahoo Furl Technorati Simpy Spurl Reddit Google I'm reading: Spring Security 3 - MVC: Using Native Expression-Based Annotation Tutorial ~ Twitter FaceBook

Subscribe by reader Subscribe by email Share


  1. This tutorial is cool. Thank you very much.

  2. can you continue a other tutorial to checking user(jane)/administrator(john) from database?

  3. @thuandd, I can but I think I already have a tutorial that can access an external data source (though not an actual database, but it should be the same design). I'm gonna try to make one either today or tomorrow

  4. This s nice tutorial...
    Is there any https based tutorial in spring??

  5. Thanks for nice tutorial. I tried the same code above but not sure why every time i login as admin or common user, it resolves to commonpage.jsp view
    Please help

  6. sorry posted on wrong page :D this is the issue with tutorial
    Spring Security 3 - MVC Integration: Using A Custom Authentication Manager

  7. @Nikkey, nope, not yet. But it shouldn't be that difficult. Just enable the https feature for Spring Security. Check the Spring docs for the exact command

  8. Cool , I'm looking how to connect to database using my hibernate , I have found you can connect a databaseSource and put a query of your own , check it out


    please more spring and more secuitry! best site ever

  9. When It comes to secuurity and you have many controllers , it might be a problem to mange it , sometimes XML seems the best option.

  10. Great tutorial... thank you. Do you have the jar files and versions for running this tutorial. I am getting errors when I try to compile. I think my jar refs are not in sync.

  11. @Anonymous, I don't have them. It's a Maven project so the jars are automatically downloaded. If you checked the pom.xml, you can find the major jar files.

  12. Thanks .. Great tutorial
    Keep it up

  13. it's a joyfull tutorial. thanks a lot

  14. Caused by: org.springframework.beans.FatalBeanException: NamespaceHandler class [org.springframework.security.config.SecurityNamespaceHandler] for namespace [http://www.springframework.org/schema/security] not found; nested exception is java.lang.ClassNotFoundException: org.springframework.security.config.SecurityNamespaceHandler

    Am using Eclipse Juno with tomcat 7.
    Kindly let me know how to resolve this bug.

  15. I have read your blog its very attractive and impressive. I like it your blog.

    Spring online training Spring online training Spring Hibernate online training Spring Hibernate online training Java online training

    spring training in chennai spring hibernate training in chennai

  16. Thank you for your post. This is excellent information.
    It is amazing and wonderful to visit your site

  17. Finding the time and actual effort to create a superb article like this is great thing. I’ll learn many new stuff right here! Good luck for the next post buddy..

    Best Industrial Training in Noida
    Best Industrial Training in Noida

  18. Nice looking sites and great work. Pretty nice information. it has a better understanding. thanks for spending time on it.

    Best BCA Colleges in Noida

  19. Wow amazing i saw the article with execution models you had posted. It was such informative. Really its a wonderful article. Thank you for sharing and please keep update like this type of article because i want to learn more relevant to this topic.

    Best Linux training in Noida
    Linux Training Institute in Noida

  20. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    core java training in Electronic City

    Hibernate Training in electronic city

    spring training in electronic city

    java j2ee training in electronic city