Friday, December 17, 2010

Spring Security 3 - MVC Integration Tutorial (Part 1)

In this tutorial we will integrate Spring Security with a simple Spring 3 MVC application. We will provide a custom data source where Spring Security should retrieve user credentials for authentication. Our design strategy is to make sure that Spring Security and Spring MVC are loosely coupled. This means we should be able to run our MVC application by itself. Then if we decide to add Spring Security we just enable it via XML configuration.

Note: I suggest reading the following tutorial as well which uses the latest Spring Security 3.1
Spring Security 3.1 - Implement UserDetailsService with Spring Data JPA

What is Spring Security?
Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications

Spring Security is one of the most mature and widely used Spring projects. Founded in 2003 and actively maintained by SpringSource since, today it is used to secure numerous demanding environments including government agencies, military applications and central banks. It is released under an Apache 2.0 license so you can confidently use it in your projects.


Our first task is to setup our Spring 3 MVC application. We dive directly to the main controller.


This controller declares two mappings:
Each handler will resolve to a specific JSP page. The common JSP page is accessible by everyone, while the admin page is accessible only by admins. Right now, everyone has access to these pages because we haven't enabled Spring Security yet.

Next we enable Spring MVC in the web.xml


Take note of the URL pattern. When accessing any pages in our MVC application, the host name must be appended with
For example, to access the commonpage.jsp, the complete URL should be http://localhost:8080/myapp/krams/main/common

In the web.xml we declared a servlet-name spring. By convention, we must declare a spring-servlet.xml as well.


This XML config declares a view resolver. All references to a JSP name in the controllers will map to a corresponding JSP in the /WEB-INF/jsp location.

By convention, we must declare an applicationContext.xml


This XML config declares three beans to activate the Spring 3 MVC programming model.

Our web application is almost done. The final piece is to create the JSP pages. We will create a commonpage.jsp for the common view and adminpage.jsp for the admin view.



Here's a screenshot of these JSP pages:

Our Spring 3 MVC application is now finish!

To access the common page, enter the following URL:

To access the admin page, enter the following URL:

The best way to learn further is to try the actual application.

Download the project
You can access the project site at Google's Project Hosting at

You can download the project as a Maven build. Look for the in the Download sections.

You can run the project directly using an embedded server via Maven.
For Tomcat: mvn tomcat:run
For Jetty: mvn jetty:run

Here's Spring Security - MVC Integration Tutorial (Part 2)
StumpleUpon DiggIt! Blinklist Yahoo Furl Technorati Simpy Spurl Reddit Google I'm reading: Spring Security 3 - MVC Integration Tutorial (Part 1) ~ Twitter FaceBook

Subscribe by reader Subscribe by email Share


  1. Thank you for this and all others tutorials! Very helpful!

    (I've added this site to Google Reader.)

  2. Hi krams, may i know the need lib files??

  3. @Anonymous, you'll find the required files inside the pom.xml. If you use Maven, those files will be automaticall downloaded for you.

  4. Thank u krams...
    I am new to Maven, so il download all the dependency manually as mention in pom.xml..

  5. Thanks Krams, Fantastic tutorial on Spring security.

  6. Hi Krams. I'm trying to get this to deploy using the tomcat plugin and having some trouble. I've listed my problem at stack overflow (

    Any ideas why it wouldn't deploy? I'm using tomcat 6, maven 2.

    1. Please see my post about the new issues and fix for this plugin

    2. Thanks Mark. I haven't had a chance to look at the plugins since but appreciate your research. I've posted a note to the link above on stack overflow

  7. Thank u, very helpful :)

  8. Uh, where is the security enabled via xml, as you state in the intro?

  9. I have read your blog its very attractive and impressive. I like it your blog.

    Spring online training Spring online training Spring Hibernate online training Spring Hibernate online training Java online training

    spring training in chennai spring hibernate training in chennai

  10. I have read your blog its very attractive and impressive. I like it your blog.

    Best BCA Colleges in Noida

  11. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    core java training in Electronic City

    Hibernate Training in electronic city

    spring training in electronic city

    java j2ee training in electronic city