Friday, January 13, 2012

Spring Security 3.1 - Implement UserDetailsService with Spring Data JPA (Part 3)


In the previous section, we have implemented the Java classes and organized them accordingly: domain, repository, service, and controller. In this section, we will create the necessary configuration files, which are mainly XML files, and discuss them thoroughly.


There are two important configuration files required to secure our application with Spring Security:
  • spring-security.xml (arbitrary name)
  • web.xml


This contains the core Spring Security configuration.

Let's examine further the contents of this file:

the http tag

This means the path /resources should be ignored by Spring Security; therefore it will not be secured. Why do you want to do this? Mainly because these are static images, CSS, and JavaScript files that don't need to be secured.

the second http tag

This contains the core security rules of our application. In previous versions of Spring Security, you're only allowed to have one http element.
  • auto-config is a shorthand for the following (see more):

  • use-expressions allows us to use SPEL (Spring EL expressions) support (see more)

intercept urls

Here we declare URL patterns to be protected. Notice the use of SPEL hasRole and permitAll (see more)

form login

This declares our login settings:
  • login-page: the URL path of our login page
  • authentication-failure-url: the URL where a user will be redirected after a failed login
  • default-target-url: the URL where a user will be redirected after a successful login

denied handler

This declares the URL where a user will be redirected after a denied access.

authentication manager

This is similar with the login element.
  • logout-success-url: the URL where a user will be redirected after a successful logout
  • logout-url: the URL path of our logout page

  • authentication-manager: registers an AuthenticationManager that provides authentication services (see more)
  • authentication-provider: this is a shorthand for configuring a DaoAuthenticationProvider which loads user information from a UserDetailsService (see more)
  • user-service-ref: this allows us to declare a custom UserDetailsService
  • password-encoder: this allows us to declare various password encoders such as md5 and sha (see more)


Besides the usual servlet declaration, the web.xml is where you declare the Spring Security filter and name of configuration file to read from.

To enable Spring Security, follow these guidelines:
  • Add a DelegatingFilterProxy
  • Add a springSecurityFilterChain mapping
  • Add a contextConfigLocation You must declare your applicationContext.xml and spring-security.xml here

Here's our complete web.xml file:


Since we're using JPA and Spring Data JPA to simplify data access, we must also declare the corresponding configuration files. Please read the inline comments for more info.

This contains all datasource-related configuration.


In the next section, we will turn our attention towards the view layer which mainly consists of JSP files. Click here to proceed.
StumpleUpon DiggIt! Blinklist Yahoo Furl Technorati Simpy Spurl Reddit Google I'm reading: Spring Security 3.1 - Implement UserDetailsService with Spring Data JPA (Part 3) ~ Twitter FaceBook

Subscribe by reader Subscribe by email Share


  1. Hi I have a question.
    Where is the applicationContext.xml file contents?

  2. You can find it in the source code.

  3. I am new to Spring security. Please explain
    what is "customUserDetailsService" in above code? how is it pointing to CustomUserDetailsService class?

  4. Hi Anon,
    krams have written
    in his applicationContext.xml
    That will load this("customUserDetailsService") service automatically.
    For more info you can read about autowiring in spring or simply serach for tag component-scan.

  5. /* Excuse me for my english */
    First, I thank Mr. Krams for this very interesting tutorial. and i wonder if
    someone can help me by posting an updated pom.xml for this project, in fact there is some problems in the "goldin" dependency.
    thank you

    Evgeny Goldin Repository

  7. hi, thank you for the tutorial it was very helpful for me. Actually I am trying to implement the same concept on a PostgreSQL 9.1 database but I'm facing some difficulties to do that. I made the necessary changes related to the database class driver, POM file, persistence file and springd-data file. The web application launch correctly but when I try to log in I receive the following error:
    [ERROR] [tomcat-http--9 02:23:28] ( ERREUR: la colonne n'existe pas
    Position: 8; I thing it related to the mapping between Hibernate and my JDBC postgresql driver,
    how can I fic this, please?

  8. PLEASE stop spreading bad practices. DO NOT USE MD5 to hash passwords.


  9. can you tell me how to load customUserDetailsService in appication-context.xml file. I am getting error for the same.

    1. Check this answer, I am sure it will help you:

  10. When I try to add Filter like this



    It prompts the following exception
    SEVERE: Exception starting filter springSecurityFilterChain
    org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'springSecurityFilterChain' is defined
    at org.springframework.web.filter.DelegatingFilterProxy.initDelegate(
    at org.springframework.web.filter.DelegatingFilterProxy.initFilterBean(
    at org.springframework.web.filter.GenericFilterBean.init(
    at org.apache.catalina.core.ApplicationFilterConfig.initFilter(
    at org.apache.catalina.core.ApplicationFilterConfig.getFilter(
    at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(
    at org.apache.catalina.core.ApplicationFilterConfig.(
    at org.apache.catalina.core.StandardContext.filterStart(
    at org.apache.catalina.core.StandardContext.startInternal(
    at org.apache.catalina.util.LifecycleBase.start(
    at org.apache.catalina.core.ContainerBase$
    at org.apache.catalina.core.ContainerBase$
    at java.util.concurrent.FutureTask$Sync.innerRun(
    at java.util.concurrent.ThreadPoolExecutor.runWorker(
    at java.util.concurrent.ThreadPoolExecutor$

    1. Where is the bean "springSecurityFilterChain" declared? I suggest you use when posting the code

    2. This comment has been removed by the author.

    3. I was struggling with the same issue. My problem was that I was building the application on top of the default Spring MVC template and used provided web.xml file. Which is not bad thing to do of course. In this approach, servlet-context.xml is loaded via init-param of a servlet and I just left it there.

      However, there are two things to realise:

      a) The root context (ContextLoaderListener) cannot see beans in the child context (servlet).

      b) Spring security config file has to be loaded BEFORE the application is started.

      All errors which are mentioned here can be solved by loading those files in Root context (in the exact same way as it is done by Mark in the tutorial :) Like that:

    4. Another short note: The only thing which is loaded in Marks tutorial in child (servlet) context is spring-servlet.xml. Where is only view resolver declaration.

  11. Hi
    If I want two separate login pages, one for users , and one for admins, what should I do?
    how should I change spring-security.xml ?

  12. I'm getting this error while deploying:

    Context initialization failed: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'customUserDetailsService': Injection of autowired ependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire field: private; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {@org.springframework.beans.factory.annotation.Autowired(required=true)}

    Please help. Thanks

  13. I have read your blog its very attractive and impressive. I like it your blog.

    Spring online training Spring online training Spring Hibernate online training Spring Hibernate online training Java online training

    spring training in chennai spring hibernate training in chennai

  14. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    core java training in Electronic City

    Hibernate Training in electronic city

    spring training in electronic city

    java j2ee training in electronic city

  15. Great Article… I love to read your articles because your writing style is too good,
    its is very very helpful for all of us and I never get bored while reading your article because,
    they are becomes a more and more interesting from the starting lines until the end.
    Java training in Chennai

    Java training in Bangalore

    Java online training

    Java training in Pune