BestHub
Sign in
Information Security 9 min read

How to Secure a Spring Boot Web App with Spring Security – Step‑by‑Step Guide

This tutorial walks through adding Spring Security to a Spring Boot web application, covering Maven dependencies, unsecured home page creation, MVC view‑controller setup, detailed security configuration, login and hello pages with Thymeleaf, the main application class, and testing the protected endpoints.

Programmer DD
Programmer DD
Programmer DD
How to Secure a Spring Boot Web App with Spring Security – Step‑by‑Step Guide

1. Add Spring Security Dependencies

Include the Spring Security starter in the Maven pom.xml so that only spring-boot-starter-security is required; the core and config dependencies are pulled in automatically.

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
</dependencies>

2. Create an Unrestricted Home Page

Place home.html under src/main/resources/templates. The page contains a simple heading and a link to /hello which will later be protected.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
  <head>
    <title>Spring Security Example</title>
  </head>
  <body>
    <h1>Welcome!</h1>
    <p>Click <a th:href="@{/hello}">here</a> to see a greeting.</p>
  </body>
</html>

3. Configure Spring MVC View Controllers

Register view names for the URLs used in the demo. The configuration class extends WebMvcConfigurerAdapter and maps /, /home, /hello, and /login to their corresponding Thymeleaf templates.

@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/home").setViewName("home");
        registry.addViewController("/").setViewName("home");
        registry.addViewController("/hello").setViewName("hello");
        registry.addViewController("/login").setViewName("login");
    }
}

4. Configure Spring Security

The security configuration enables web security, permits unrestricted access to the home page and login page, requires authentication for any other request, and sets up a form‑based login page. An in‑memory user admin/admin with role USER is defined.

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/", "/home").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage("/login").permitAll()
            .and()
            .logout().permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("admin").password("admin").roles("USER");
    }
}

5. Create the Login Page

The Thymeleaf template login.html displays error or logout messages, and provides a form that posts the username and password to /login. Spring Security’s default filter processes the submission.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
  <head>
    <title>Spring Security Example</title>
  </head>
  <body>
    <div th:if="${param.error}">Invalid username and password.</div>
    <div th:if="${param.logout}">You have been logged out.</div>
    <form th:action="@{/login}" method="post">
      <div><label>User Name : <input type="text" name="username"/></label></div>
      <div><label>Password : <input type="password" name="password"/></label></div>
      <div><input type="submit" value="Sign In"/></div>
    </form>
  </body>
</html>

6. Create the Protected Hello Page

The hello.html template greets the authenticated user by using ${#httpServletRequest.remoteUser}. It also provides a logout button that posts to /logout.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
  <head>
    <title>Hello World!</title>
  </head>
  <body>
    <h1 th:inline="text">Hello [[${#httpServletRequest.remoteUser}]]!</h1>
    <form th:action="@{/logout}" method="post">
      <input type="submit" value="Sign Out"/>
    </form>
  </body>
</html>

7. Application Entry Point

@SpringBootApplication
public class Application {
    public static void main(String[] args) throws Throwable {
        SpringApplication.run(Application.class, args);
    }
}

8. Test the Setup

Run the application and open http://localhost:8080/. The home page loads without authentication. Clicking the link to /hello redirects to the login page. After entering admin / admin, the user is taken to the hello page, which displays the username and a sign‑out button. Signing out returns the user to the login page.

Home page
Home page
Login redirect
Login redirect
Authenticated hello page
Authenticated hello page
After sign out
After sign out
MVCspring-bootweb-securityspring-security
Programmer DD
Written by

Programmer DD

A tinkering programmer and author of "Spring Cloud Microservices in Action"

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment