spring security database authentication example

In previous post, we have already seen  how to use custom login page in Spring security. We have declared username and password in spring-security.xml but what if you want to read it from database. In most of the cases, we will read credentials from database.
In this post, we will do authentication using database. We will use MySQL and hibernate for database authentication.
If you want to secure your spring web application , you just need to configure some files to make it happen using spring security. We will apply login security on hello world example, so when only authorised users will be able to access admin page.
Before going ahead, lets first configure database table in mysql which we will use for authentications.

Database setup:

Here are steps to apply spring security custom login form on spring mvc hello world example.
Step 1: 
Create Spring mvc hello world example named SpringSecurityDatabaseAuthenticationExample. It will create basic spring mvc application.
Step 2: 
Add spring security, hibernate and mysql connector to pom.xml. You need to add following dependencies to the pom.

pom.xml 

Create Controller  and view

Step 3
Change controller class named “HelloWorldController.java” as below

As  request first goes to dispatcherServlet and it redirects to controller class. Here @Controller depicts that this is our controller class. @RequestMapper is used to map incoming http request to handler method(hello() in above controller).So hello() method of HelloWorldController.java will handle GET request from dispatcher.
Here We have used Principal object to get current logged in username. It is set by Spring security framework.

Step 4: 
Modify hello.jsp in /WEB-INF/pages folder

Step 5:
Create login.jsp in /WEB-INF/pages folder

We have used css file in above login.jsp. Create style.css file as below.

Step 6:
Create admin.jsp in /WEB-INF/pages folder.

Step 7:Create 403.jsp in /WEB-INF/pages folder.

Step 8:  
Now we need to add spring configuration xml. Create a file named spring-security.xml.

We have used form-login in above file, so if user tries to access any secured url, he will be authenticated based on above form-login configuration.
Lets understand meaning of each attribute of form-login tag
login-page : we need to provide url for login page.
default-target-url : here if authentication is successful, then target page url should be provided.
authentication-failure-url : if authentication is unsuccessful, then redirection page url should be provided here.
access-denied-handler : If user don’t have access to the page, /403 url will be called.
intercept-url configure for which pattern what kind of security is configured. For example: If http request url has pattern /hello*(hello.jsp,helloworld.html), it will be accessed to ROLE_ADMIN and ROLE_USER but if http request url has pattern /admin*,it will be accessed to ROLE_ADMIN only

We have provided queries for users-by-username-query and authorities-by-username-query to set up credentials for roles.
Step 9: 
springmvc-dispatcher-servlet.xml

Step 10: We need to change in web.xml to configure spring security.

Here we have used DelegatingFilterProxy which intercepts http request and pass it to springSecurityFilterChain. springSecurityFilterChain is a bean created by spring with http element used in spring-security.xml. It maintains list of all filters and is responsible for chain of filters.
We are done with changes required for spring security.
Step 11:
It’s time for maven build.
 
Provide goals as clean install (given below) and click on run

Run the application

Step 12:Right click on project -> run as -> run on server
Select apache tomcat and click on finish

   You will see below screen:

Spring Security database authentication

When you click on admin page link, you will get following login page. Now put User as arpit and password also as arpit.

Spring Security login

We have put correct username and password , so we will see below screen.

Spring security admin login

If you use user john to access admin page, you will get below screens.

Spring security john login

As john don’t have access to admin page, so you will get below screen.

Download source code:

click to begin
20KB .zip

Please comment if you have any issues with above post.

Was this post helpful?

Comments

  1. What you have posted is simply superb ,but i m looking for the example which involves the postgre sql database can you please post that .(at least how to change it from mysql to postgres).

    _Thank u in advance

  2. Hi Arpit . Thank you for the post its very helpful.

    I request you share some examples on HTTP session in spring boot.please

    Thank you in advance

  3. Hi Arpit,
    The content in the blog is very good to read and understand. Is there any possibility to view the content offline or any application associated to read it offline.

    Regards
    Santosh

Leave a Reply

Your email address will not be published. Required fields are marked *