Spring boot security authentication examples

Spring boot security authentication examples with source code are explained here. For authentication default login page, http basic popup or custom login page can be easily configured in spring security using spring boot. User details can be served from database, in-memory or even from properties file. In this article, we will discuss and built each of this example. It clearly means that we are going to multiple examples for implementing spring security authentication.

Spring boot security authentication is enabled by using the @EnableWebSecurity annotation. The abstract class WebSecurityConfigurerAdapter is extended and the configure method is overridden, which enforces the security to the application’s endpoints. In configure method, spring boot security authentication type is specified to avoid unauthenticated access. A filter is implemented and hooked in httpsecurity to inject the user service to provide user details to authenticate and authorize.

Spring Security is a security framework that enables a developer to add security restrictions to Web based applications or as well as Rest based applications using SAML or OAuth2 or custom tokens. The main responsibility of Spring security is to authenticate and authorize the incoming requests, to access any resource which can be a rest api endpoint, mvc url, static resource etc. Spring security is a very powerful framework and provides a high level of customization.

The spring-boot-starter-security dependency is the spring boot start project which includes all default configurations required for spring security. It helps a developer a lot with removing the boilerplate code and providing all default configuration values. A developer can customize the spring security easily and can focus better on the main logic in application, without worrying about configuring each and every part of spring security.

I generally prefer to work with Gradle projects. It’s not much different whether you are using a maven project or a gradle project. I find gradle based projects more neat and clean in terms of readability. If you want to add Gradle dependency then add following one:

The abstract class WebSecurityConfigurerAdapter provides an easy to use base class, when an instance of WebSecurityConfigurer is to be created. The implementation class of WebSecurityConfigurerAdapter customizes the default behavior via overriding the methods. In the implementation class, mostly HttpSecurity and AuthenticationManagerBuilder are configured to secure the application and provide the authentication provider.

The @EnableWebSecurity annotation is a marker annotation in spring boot security. This annotation enables Spring to find the configuration under @Configuration or @Component, which automatically gets applied to the global WebSecurity. The @EnableWebSecurity annotation is generally used with the class which extends WebSecurityConfigurerAdapter class and overrides its individual methods.

Spring boot basic http authentication is very easy to implement. You can enable http basic authentication popup, default login page or implement custom login page. Authentication mechanism can be injected in spring security which can authenticate from properties file, in-memory credentials or database tables. 

For each of these we will discuss multiple Spring MVC examples. Before starting with an example, there are few common steps which will be applicable in all examples:

1. As prerequisites, You should have Java, Gradle and one IDE installed and set up on your machine.2. Open Spring boot initializer and choose Gradle project with Java 11 and spring boot latest version (avoid using snapshots, use stable version). Provide all the required details and download the zip file.3. Open the zip file and import the project as a Gradle project into IDE. I generally prefer to use the IntelliJ idea.4. Open build.gradle file and add following required dependencies.

5. Build the project, so newly added dependencies will be downloaded.6. Run the application, if your application starts fine then this step is complete.

Spring boot basic http authentication popup is a traditional & easy way to authenticate. If you have a single login user only, then you can use properties files to save the user credentials directly. You don’t need to implement a database or in-memory authentication provider.

Following are the steps to implement http security in spring boot application:

1. Create a class (let’s call this class WebSecurityConfig, but you can name anything) which extends WebSecurityConfigurerAdapter abstract class2. At WebSecurityConfig’s class level, add two annotations @Configuration and @EnableWebSecurity3. In WebSecurityConfig, override configure method to setup HttpSecurity for application.4. Configure HttpSecurity security to authenticate all requests and apply HttpBasic authentication using httpBasic() method.5. You class will look like something this:

6. Create a sample controller and a default method to test the application. For example, I have created a controller which returns a welcome method.

7. Now time to provide the credentials to the spring security layer, so it can compare and authenticate the user credentials. In application.properties add the credentials like this

8. Setup is complete. Now start the application and open it in browser, the default address will be http://localhost:8080 or http://127.0.0.1:80809. On opening application in browser, you will see a popup window like shown below:

10. Enter the credentials, as entered in application.properties file which are username = technicalsand and password = technicalsand11. If you enter correct credentials then you will be able to see the welcome message. If entered username or password is wrong then popup will ask you again to enter the credentials.

Spring security default login page is an inbuilt login page which is provided by spring boot security started project. This page automatically maps the username and password and provides easy authentication. All the error messages and logout options are handled by this page itself.

The inmemory authentication is the mechanism to keep the user credentials in JVM memory itself, but saving over a file or into a database. If you are trying to test something in spring boot or building some kind of proof of concept then usually in-memory authentication is used. 

Following are the steps to implement Spring boot security default login page using in memory authentication:

4. Since we are going to use the in-memory authentication. It’s recommended to use a password encoder for saving passwords in memory or database. Spring security has inbuilt support for BCryptPasswordEncoder. So we can create a bean of it and use it directly.

5. In WebSecurityConfig, configure AuthenticationManagerBuilder to set up in-memory credentials.

6. Now run the application and open the browser, navigate to http://localhost:8080 or http://127.0.0.1:8080 You will see a login page like this:

7. Enter the wrong credentials first and see it will show an error for bad credentials.8. Enter the correct credentials which are (technicalsand, technicalsand) and you will see the welcome message on screen.

Spring security custom login page is a page which is entirely created by the developer and customized as per his own needs. It is very common that you need to have a custom login page to show your own branding, customized options to login or some other information to display on the login page. 

In this example, we will implement a custom login page using Thymeleaf. Thymeleaf is a Java based server-side modern template engine, used for both standalone and web applications.

Following are the steps to implement Spring boot security with a custom login page with in-memory authentication and Thymeleaf.

1. First of all, add are required dependencies in build,gradle file for Spring security and thymeleaf.

2. Password encoder and in-memory authentication steps will remain the same as in the previous example. So skipping these steps.3. Create a home page under resources/templates directory.

4. Create a login page under resources/templates directory.

5. Create a controller to provide mappings for home page and login page. At homepage, we will show the name of the logged in user.

6. Now time to configure HttpSecurity in WebSecurityConfig class. After the formLogin() method add a loginPage method and provide the mapping uri for login page. Since everyone can see the login page to enter credentials, so on loginPage add permitAll() method.

7. In the above configuration, we have handled logout to be redirected to the login page with logout messages. The last line of above code represents this configuration.

8. Run the application and open via http://127.0.0.1:8080 or http://localhost:80809. You should be able to see the login page like this.

10. Enter the correct credentials (technicalsand, technicalsand) and you should see the welcome screen.11. On the welcome screen, you can click the logout link. On logout, you will be redirected to the login page back.

Spring boot security with database authentication is the most preferred way in standard applications. Database can be any, but the implementation approach in spring boot security remains the same. 

In our example, we will implement a custom login with MySql database authentication. We will also go through the steps if you want to do authentication with other databases like postgres, Oracle etc. 

Following are the steps for Spring boot authentication example with database:

1. Custom login is implemented in the previous example. All the steps will remain the same, so you can refer those again. We can skip those steps and discuss other things which needs to be done specifically for database authentication.2. For database authentication, you need to add 2 new dependencies in build.gradle file. Spring boot starter data jpa dependency is required to configure for datasource requirements. Since we are going to use MySql , we need to provide MySql java connector dependency, which is basically MySql driver classes.

3. Open application.propeties file and database credentials. In my example, i am using a database with the name “demo” and the user name/password is root/root. Please change as per your requirements.

4. Automatically let hibernate create your database tables. You just need to create a blank database (demo database in example) and following hibernate configuration in application.properties will automatically add/update tables on application startup.

5. Every logged in user, should have a role. We will create a role table where all the roles will be added, which can be assigned to the user. Create a Role class as following:

6. We need a user domain class, which will map to a table in the database. So create User class as following:

7. In user class, we have added Many to Many mapping between user and role. So, this mapping will create a third table user_role which will hold all user ids with their role ids.

8. Now let’s create a RoleRepository which will extend the JpaRepository and provide all standard methods by default.

9. Create a user repository, with a method to find a user with a given username. I have added an additional field for disabled. As we want to login a user, who is an active user only.

10. Now we need to create a class which implements Spring’s UserDetailsService class and override the method loadUserByUsername() to provide custom implementation of finding the user.