Open In App
Related Articles

Spring Security XML

Improve Article
Save Article
Like Article

Spring Security is a powerful way to provide authentication as well as authorization to Spring application. Spring Security is a powerful tool that provides the feature of custom security configuration to the user, security configuration in spring can be customized in two ways as listed below as follows:

  • XML-based configuration
  • Java configuration.

Implementation: Here we will be creating a Spring MVC web application and add xml-based configuration.

Prerequisites: Introduction to Spring

Steps to Create an XML-Based Configuration in Spring MVC

Step 1: Create a maven webapp project, we are using Eclipse IDE for creating this project. While creating a maven project select the archetype for this project as maven-archetype-webapp. Enter the group id and the artifact id for your project and click ‘Finish.’

Step 2: After creating the project your project structure would look something like this:

The pom.xml file defines all the dependencies required for the project. Make sure to add all the dependencies mentioned in this file for your project to work properly.

File: pom.xml  


<?xml version="1.0" encoding="UTF-8"?>
  <name>SpringSecurityXmlConfig Maven Webapp</name>
  <!-- FIXME change it to the project's website -->
    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->

The web.xml defines mapping with different URLs and servlets to handle requests for those URLs. Spring DelegatingFilterProxy provides link between web.xml and application context.

File: web.xml


<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE xml>  
    <web-app xmlns=""  

The gfg-servlet.xml file handles all HTTP requests for the web applications. The annotation-driven enable the spring annotation classes. The component scan locates and allocated beans according to the defined annotation. The bean configuration helps in identifying and locating JSP files in the project.

FIle: gfg-servlet.xml


<?xml version="1.0" encoding="UTF-8"?>  
   <mvc:annotation-driven />  
   <context:component-scan base-package="com.gfg.controller">  
   <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">  
      <property name="prefix" value="/WEB-INF/views/"></property>  
      <property name="suffix" value=".jsp"></property>  

This is where you define the configuration for spring security, the http bean helps in intercepting all the http calls mentioned in the file, the user-service in the authentication-provider in the authentication-manager creates a user for the application with the username, password, and the role for that user. 


<?xml version="1.0" encoding="UTF-8"?> 
    <http auto-config="true"
            <intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" /> 
                   <user name="admin" password="{noop}pass" authorities="ROLE_ADMIN" /> 
   <beans:bean id ="passwordEncoder" 
      class = "" 
      factory-method = "getInstance">

The WelcomeController class in the com.gfg.controller package defines the mappings for url, in this project we have defines two GET methods for two URLs. The welcome method redirects to the home view page and the admin method does it for the admin view page.



// Java Program to Illustrate WelcomeController Class
package com.gfg.controller;
// Importing required classes
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
// Annotation
// Class
public class WelcomeController {
    // Method 1
    @RequestMapping(value = "/", method = RequestMethod.GET)
    public String welcome()
        return "welcome";
    // Method 2
    @RequestMapping(value = "/admin",
                    method = RequestMethod.GET)
    public String
        return "admin";

This is the admin.jsp page in the views folder.


    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">  
    Welcome Admin
    <form action="<%=request.getContextPath()%>/appLogout" method="POST">
       <input type="submit" value="Logout"/>
       <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>        

This is welcome.jsp page in the views folder.


    <meta content="text/html; charset=UTF-8">  
    <title>Home Page</title>  
    <h2>Welcome to Spring Security using XML Configuration!</h2>  

Step 3: After creating all the configuration files and classes your project would look something like this:

Step 4: Now that we have completed our project, it’s time to run it on a tomcat server, just start the tomcat server and type http:localhost:8080/SpringSecurityXmlConfig/login.

Feeling lost in the vast world of Backend Development? It's time for a change! Join our Java Backend Development - Live Course and embark on an exciting journey to master backend development efficiently and on schedule.
What We Offer:
  • Comprehensive Course
  • Expert Guidance for Efficient Learning
  • Hands-on Experience with Real-world Projects
  • Proven Track Record with 100,000+ Successful Geeks

Last Updated : 24 Mar, 2022
Like Article
Save Article
Similar Reads
Complete Tutorials