Spring Security: Authentication and Authorization Using XML

Concept Overview

Spring provides a configurable framework for implementing authentication and authorization for an application. The security framework provides ways to login and logout from an application. It also provides authentication at view level and method level. What’s more, it can also provide you with a login page! Here are some things that it provides

  • Provide capabilities for login and logout
  • control access to a link based on the role of the user.
  • Provide the ability to hide certain portion of a page if a user does not have appropriate privileges.
  • Link to a database or LDAP for authentication

In this tutorial we will look at declarative security implementation using XML.

The first step is to add the spring security jars to the classpath. The minimal jars are the Core and Configuration modles. The second step is to make the spring security namespace available in the XML. This can be achieved by using http://www.springframewor.org/schema/security/spring-secirty-3.0.xsd. Spring achieves the security by using a ServletFilter. This Filter intercepts all requests and implements the security related tasks. The only filter that needs to be implemented is the DelegatingFilterProxy. This filter delegates the request to instances of java.servlet.Filter.

Sample Program Overview

Lets look at an example that demonstrates spring security using XML. This is a simple example that intercepts a user request and presents a login page. Upon successful login it shows the success page and if unsuccessful, it shows an error message.

Code Package Structure

Interaction Flow

  1. User accesses a URL on a web application
  2. The web application refers to web.xml
  3. The web.xml matches the URL pattern
  4. The control is redirected to DispatcherServlet in Spring framework
  5. Spring framework finds that the all URLs are secured and hence displays login page to the user
  6. The user enters his login name and password
  7. Spring framework validates the login name and password by using the entries in Spring configuration XML and redirects to the accessed original URL

Source Code

Create the main_page.jsp as shown below. This page is accessed by the end user and is displayed after successful login.

Note that this is the only JSP page required for this sample. No explicit coding is required to display Spring’s in-built login page.


            You have successfully logged in.


Create the web.xml file as shown below.

Register Spring’s DispatcherServlet used to register handlers for processing the web request (see lines 29-38 below).
Define filter-mapping and filter for DelegatingFilterProxy (see lines 15-23 below). This filter shall delegate the call to a class that implements
and is registered as Spring bean.

Note: In this example we do not have to specifically create a class that implements javax.servlet.Filter. This is automatically available to us when we configure our Spring configuration file using security:http in springsecurity-servlet.xml file described later.
Also configure that ContextLoaderListener (see lines 25-27 below).
Finally provide the location of Spring’s configuration file in web.xml (see lines 10-13 below).

Create the Spring configuration file as shown below. Configure Spring security using security:http tag (see lines 15-17 below).
Specify that all URLs should be intercepted by Spring security (seepatternattribute in line 16 below).
Also specify that access should be restricted only to those users who have the roleROLE_ADMIN(see access attribute on line 16). Specify the authentication and authorization credentials for valid users (see lines 19-25 below). Note in particular the <security:user> tag using which the name, password and authorization role for a user is specified (see line 22 below). This demonstrates the usage of specifying authentication and authorization information in Spring XML file.

Running the application
Once you start the application.
  • Go to the URL http://localhost:8080/springsecurityusingxml/jsp/main_page.jsp. A login page will be displayed as shown below

  • Enter some invalid credentials (e.g. user as ‘beta’ and password as ‘abcd’) as shown below

  • Click the Login button. The login page will be displayed with a ‘bad credentials’ message as shown below

  • Now enter some the credentials (e.g. user as ‘alpha’ and password as ‘pass1’) as shown below

  • Click the Login button. The user will be authenticated successfully and the main page will successfully displayed to him based on his authorizations as shown below

  • This demonstrates the successful execution of the sample program on your machine
  • 3 thoughts on “Spring Security: Authentication and Authorization Using XML”

    1. hi Mithil,

      I too have the same question – can you tell us where the source code is? I checked your github repository but did not find it there. It will be of great help if you can add the code for these articles on github.



    Leave a Comment