Securing Jakarta EE with Spring Security – 用Spring Security保证Jakarta EE的安全

最后修改: 2017年 8月 5日

1. Overview


In this quick tutorial, we’ll be looking at how to secure a Jakarta EE web application with Spring Security.

在这个快速教程中,我们将研究如何用Spring Security保护Jakarta EE网络应用。

2. Maven Dependencies


Let’s start with the required Spring Security dependencies for this tutorial:

让我们从本教程所需的Spring Security依赖项开始


The latest Spring Security version (at the time of writing this tutorial) is 4.2.3.RELEASE; as always, we can check Maven Central for newest versions.

最新的Spring Security版本(在编写本教程时)是4.2.3.RELEASE;一如既往,我们可以查看Maven Central的最新版本。

3. Security Configuration


Next, we need to set up the security configuration for the existing Jakarta EE application:

接下来,我们需要为现有的Jakarta EE应用程序设置安全配置。

public class SpringSecurityConfig 
  extends WebSecurityConfigurerAdapter {

    protected void configure(AuthenticationManagerBuilder auth)
      throws Exception {

In the configure() method, we setup the AuthenticationManager. For the sake of simplicity, we implement a simple in-memory authentication. User details are hard-coded.


This is meant to be used for rapid prototyping when a full persistence mechanism is not necessary.


Next, let’s integrate security into the existing system by adding the SecurityWebApplicationInitializer class:


public class SecurityWebApplicationInitializer
  extends AbstractSecurityWebApplicationInitializer {

    public SecurityWebApplicationInitializer() {

This class will ensure the SpringSecurityConfig is loaded during application startup. At this stage, we’ve achieved a basic implementation of Spring Security. With this implementation, Spring Security will require authentication for all requests and routes by default.

这个类将确保SpringSecurityConfig在应用程序启动时被加载。在这个阶段,我们已经实现了Spring Security的基本实现。有了这个实现,Spring Security将默认要求所有的请求和路由进行认证。

4. Configuring Security Rules


We can further customize Spring Security by overriding WebSecurityConfigurerAdapter‘s configure(HttpSecurity http) method:

我们可以通过覆盖WebSecurityConfigurerAdapterconfigure(HttpSecurity http)方法进一步定制Spring Security。

protected void configure(HttpSecurity http) throws Exception {
      .defaultSuccessUrl("/home", true)

Using the antMatchers() method, we configure Spring Security to allow anonymous access to /auth/login and authenticate any other request.

使用antMatchers()方法,我们配置Spring Security以允许匿名访问/auth/login认证任何其他请求。

4.1. Custom Login Page


A custom login page is configured using the formLogin() method:



If this is not specified, Spring Security generates a default login page at /login:

如果没有指定,Spring Security会在/login生成一个默认的登录页面。

<form name='f' action="/auth/login" method='POST'>
            <td><input type='text' name='username' value=''></td>
            <td><input type='password' name='password'/></td>
            <td><input name="submit" type="submit" 

4.2. Custom Landing Page


Upon successful login, Spring Security redirects the user to the root of the application. We can override this by specifying a default success URL:

登录成功后,Spring Security会将用户重定向到应用程序的根。我们可以通过指定一个默认的成功URL来覆盖这一点。

  .defaultSuccessUrl("/home", true)

By setting the defaultSuccessUrl() method’s alwaysUse parameter to true, a user will always be redirected to the specified page.


If the alwaysUse parameter is not set or is set to false, a user will be redirected to the previous page he tried to access before being prompted for authentication.


Similarly, we can also specify a custom failure landing page:



4.3. Authorization


We can restrict access to a resource by role:



A non-admin user will receive an Access Denied error if he/she tries to access the /home/admin endpoint.


We can also restrict data on a JSP page based on a user’s role. This is done using the <security:authorize> tag:


<security:authorize access="hasRole('ADMIN')">
    This text is only visible to an admin
    <a href="<c:url value="/home/admin" />">Admin Page</a>

To use this tag, we have to include the Spring Security tags taglib at the top of the page:

要使用这个标签,我们必须在页面的顶部包含Spring Security标签taglib。

<%@ taglib prefix="security" 
  uri="" %>

5. Spring Security XML Configuration

5.Spring Security XML配置

So far we have looked at configuring Spring Security in Java. Let’s take a look at an equivalent XML configuration.

到目前为止,我们已经研究了在Java中配置Spring Security的问题。让我们看一下同等的XML配置。

First, we need to create a security.xml file in the web/WEB-INF/spring folder that contains our XML configurations. An example of such a security.xml config file is available at the end of the article.


Let’s start by configuring the authentication manager and authentication provider. For the sake of simplicity we use simple hard-coded user credentials:


            <user name="user" 
              authorities="ROLE_USER" />

What we just did is to create a user with a username, password, and a role.


Alternatively, we can configure our authentication provider with a password encoder:


        <password-encoder hash="sha"/>
            <user name="user"
              authorities="ROLE_USER" />

We can also specify a custom implementation of Spring’s UserDetailsService or a Datasource as our authentication provider. More details can be found here.


Now that we have configured the authentication manager, let’s setup the security rules and apply access control:


<http auto-config='true' use-expressions="true">
    <form-login default-target-url="/secure.jsp" />
    <intercept-url pattern="/" access="isAnonymous()" />
    <intercept-url pattern="/index.jsp" access="isAnonymous()" />
    <intercept-url pattern="/secure.jsp" access="hasRole('ROLE_USER')" />

In the above snippet, we have configured HttpSecurity to use form login and have set /secure.jsp as the login success URL. We granted anonymous access to /index.jsp and the “/” path. Also, we specified that access to /secure.jsp should require authentication and an authenticated user should have, at least, the ROLE_USER level of authority.


Setting the auto-config attribute of the http tag to true instructs Spring Security to implement default behaviors that we don’t have to override in the configuration. Therefore, /login and /logout will be used for user login and logout respectively. A default login page is provided as well.

http标签的auto-config属性设置为true,指示Spring Security实现默认行为,我们不必在配置中重写。因此,/login/logout将分别用于用户登录和注销。同时还提供了一个默认的登录页面。

We can further customize the form-login tag with custom login and logout pages, URLs to handle both authentication failure and success. The Security Namespace appendix lists all the possible attributes for the form-login (and other) tags. Some IDEs also make inspection possible by clicking on a tag while pressing down the ctrl key.


Finally, for the security.xml config to be loaded during application startup, we need to add the following definitions to our web.xml:



Note that trying to use both XML and Java based configurations in the same JEE application may cause errors.


6. Conclusion


In this article, we have seen how to secure a Jakarta EE application with Spring Security and demonstrated both Java-based and XML-based configurations.

在这篇文章中,我们看到了如何用Spring Security保护Jakarta EE应用程序,并演示了基于Java和基于XML的配置。

We also discussed ways to grant or revoke access to specific resources based on a user’s role.


The complete source code and XML definitions are available over on GitHub.