Spring 4 MVC and Spring Security 100% java annotation based configuration

This post would be the continuation of my previous hello-world series for Spring 4. So far we have made a Spring 4 MVC webapp ready without using XML. In this tutorial we shall enable the spring security for the same webapp. I hope it will be easier for you to follow me.

My Earier posts  on the same series

This post will not talk about how to setup spring MVC. Please check my earlier post Spring 4 MVC – 100% annotation based configuration. I assume, the mvc webapp is ready with you before you work on this.


Specify your webapp security behaviour here. The below config ensures, there is no restriction to access /home requests. Other unauthenticated requests will be forwarded to /login page

package org.grassfield.conf;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
                .antMatchers("/", "/home").permitAll()

    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

Changes to HomeController

Added two more request mappings /login and /protect

package org.grassfield.conf;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;

public class HomeController {

    public ModelAndView handleRequest(HttpServletRequest arg0,
            HttpServletResponse arg1) throws Exception {
        return new ModelAndView("home");

    public ModelAndView handleLoginRequest(HttpServletRequest arg0,
            HttpServletResponse arg1) throws Exception {
        return new ModelAndView("login");

    public ModelAndView handleProtectedRequest(HttpServletRequest arg0,
            HttpServletResponse arg1) throws Exception {
        return new ModelAndView("protect");

Pls note, we added /protect url!


Register your security with the web application.

package org.grassfield.conf;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

public class SecurityWebApplicationInitializer extends
AbstractSecurityWebApplicationInitializer {

public SecurityWebApplicationInitializer() {



Home page has the links for the protected pages. Click and see the behaviour!

Hope it helped you!

spring-tool-suite-project-logo java8-logo image00110 Apache-Tomcat-logo

2 thoughts on “Spring 4 MVC and Spring Security 100% java annotation based configuration

  1. Pingback: Spring 4 MVC and JDBC authenticated Spring Security – 100% java annotation based configuration | JavaShine

  2. Pingback: Spring 4 MVC + Spring 3 Security + Hibernate 4 – integration with java annotations | JavaShine

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s