How to start programming

Spring Security Tutorial for Beginners Step by Step 2026

Prerequisites for Spring Security

To get started with Spring Security, you should have a solid understanding of **Java** fundamentals, including **object-oriented programming** concepts and **Java syntax**. Additionally, familiarity with the **Spring Framework** is essential, as Spring Security is built on top of it. You should also have a basic understanding of security concepts, such as **authentication** and **authorization**.

A good grasp of **Java** basics, including **classes**, **interfaces**, and **annotations**, is crucial for working with Spring Security. You should also be familiar with the **Spring Framework’s** core components, such as **beans** and **dependency injection**. For further reading on the **Spring Framework**, visit our Spring Framework tutorial.

Here’s an example of a simple **Java** class that demonstrates basic **authentication** using a **username** and **password**:

public class Authenticator {
 // Define a method to authenticate a user
 public boolean authenticate(String username, String password) {
 // For demonstration purposes, we'll use a hardcoded username and password
 // In a real-world application, you'd want to use a secure method to store and compare credentials
 String expectedUsername = "admin";
 String expectedPassword = "password";
 // Check if the provided credentials match the expected ones
 return username.equals(expectedUsername) && password.equals(expectedPassword);
 }
 public static void main(String[] args) {
 Authenticator authenticator = new Authenticator();
 // Test the authenticate method
 System.out.println(authenticator.authenticate("admin", "password")); // Should print: true
 System.out.println(authenticator.authenticate("wrong", "password")); // Should print: false
 }
}

The expected output of this program is:

true
false

This example illustrates a basic **authentication** mechanism, but in a real-world application, you’d want to use a more secure approach, such as **password hashing** and **salting**, which is covered in our password storage best practices article.

Deep Dive into Spring Security Concepts

Understanding **authentication** and **authorization** is crucial when working with Spring Security. **Authentication** refers to the process of verifying the identity of a user, while **authorization** determines the access level of an authenticated user. The UsernamePasswordAuthenticationToken class is a common implementation of the Authentication interface, which represents an authentication request. To learn more about implementing authentication, visit our guide on Configuring Spring Security Authentication.

Table of Contents

  1. Prerequisites for Spring Security
  2. Deep Dive into Spring Security Concepts
  3. Step-by-Step Guide to Implementing Spring Security
  4. Full Example of a Spring Security Application
  5. Common Mistakes in Spring Security and How to Avoid Them
  6. Mistake 1: Incorrect Authentication Configuration
  7. Mistake 2: Missing Authorization Configuration
  8. Production-Ready Tips for Spring Security Applications
  9. Testing Spring Security Applications
  10. Key Takeaways from the Spring Security Tutorial
  11. Advanced Spring Security Topics
  12. Troubleshooting Common Spring Security Issues

The core Spring Security components include the SecurityContext, SecurityContextHolder, and AuthenticationManager. The SecurityContextHolder class provides access to the current SecurityContext, which holds the authenticated user’s details. The AuthenticationManager interface is responsible for authenticating users, and its default implementation is the ProviderManager class.

Spring Security also provides various authorization mechanisms, including role-based access control and attribute-based access control. The @PreAuthorize and @PostAuthorize annotations can be used to restrict access to methods based on user roles or permissions. For example, the @PreAuthorize annotation can be used to check if a user has a specific role before allowing them to access a method.

The filter chain is another important concept in Spring Security, as it allows multiple filters to be applied to a single request. The FilterChainProxy class is responsible for managing the filter chain, and it delegates the request to each filter in the chain. By understanding how the filter chain works, developers can customize the security configuration to meet their specific needs, such as integrating with other security frameworks or implementing custom authentication mechanisms.

Step-by-Step Guide to Implementing Spring Security

To implement **Spring Security**, you need to configure it to handle authentication and authorization. This involves setting up a **security configuration** class that extends the WebSecurityConfigurerAdapter class. The configure method in this class is used to define the **authentication** and **authorization** rules.

The first step is to add the **Spring Security** dependency to your project. You can do this by adding the following dependency to your pom.xml file if you are using Maven. For more information on setting up a Spring project, visit our Spring Boot tutorial.

To configure **Spring Security**, you need to create a configuration class. Here is an example of a basic configuration class:

package com.example.security;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
 @Override
 protected void configure(HttpSecurity http) throws Exception {
 // We are allowing all requests to the /login endpoint
 http.csrf().disable()
 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
 .and()
 .authorizeRequests()
 // All requests to the /login endpoint are allowed
 .antMatchers("/login").permitAll()
 // All other requests require authentication
 .anyRequest().authenticated();
 }
}

This configuration class disables **CSRF** protection and sets the session creation policy to **STATELESS**. It also defines the **authentication** rules, allowing all requests to the /login endpoint and requiring authentication for all other requests.

To test this configuration, you can create a simple **REST** endpoint. For more information on creating **REST** endpoints, visit our RESTful Web Services tutorial.
You can use a tool like **Postman** to send a request to the /login endpoint. The expected output will be:

HTTP/1.1 200 OK

This indicates that the request was successful and the **authentication** rules were applied correctly.

You can also use **annotations** to secure your endpoints. For example, you can use the @Secured annotation to specify the roles that are allowed to access a particular endpoint. For more information on using **annotations** with **Spring Security**, visit our Spring Security annotations page.

Full Example of a Spring Security Application

To build a complete **Spring Security** application, we need to configure **user registration**, **login**, and **role-based access control**. We will use the **SpringBoot** framework to simplify the process. First, we need to create a **User** entity to represent our users.

The **User** entity will have properties such as **username**, **password**, and **role**. We will use **Spring Data JPA** to interact with our database. For more information on **Spring Data JPA**, visit our [Spring Data JPA tutorial](/spring-data-jpa-tutorial).

package com.example.springsecurity;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;

@Entity
public class User {
 @Id
 @GeneratedValue(strategy = GenerationType.IDENTITY)
 private Long id;
 private String username;
 private String password;
 private String role;

 // getters and setters
 public Long getId() {
 return id;
 }

 public void setId(Long id) {
 this.id = id;
 }

 public String getUsername() {
 return username;
 }

 public void setUsername(String username) {
 this.username = username;
 }

 public String getPassword() {
 return password;
 }

 public void setPassword(String password) {
 this.password = password;
 }

 public String getRole() {
 return role;
 }

 public void setRole(String role) {
 this.role = role;
 }
}

We will also create a **UserRepository** interface to define our data access methods. We will use **Spring Security** to handle user authentication and authorization. For more information on **Spring Security**, visit our [Spring Security tutorial](/spring-security-tutorial).

To test our application, we can use the following **main** method:

package com.example.springsecurity;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class SpringSecurityApplication {
 public static void main(String[] args) {
 // Create a new user
 User user = new User();
 user.setUsername("john");
 user.setPassword("password");
 user.setRole("ADMIN");

 // Save the user to the database
 // ...

 // Authenticate the user
 // ...

 SpringApplication.run(SpringSecurityApplication.class, args);
 }
}

The expected output will be:

User authenticated successfully

Note that this is a simplified example and you should consider using a more secure way to store and compare passwords, such as using **BCryptPasswordEncoder**. For more information on **BCryptPasswordEncoder**, visit our [password encoding tutorial](/password-encoding-tutorial).

Common Mistakes in Spring Security and How to Avoid Them

When implementing **Spring Security**, developers often encounter common errors that can be difficult to identify and fix. One of the most common mistakes is misconfigured **authentication**. To avoid this, it is essential to understand the basics of **Spring Security** configuration, which can be found in our Spring Security Configuration article.

Mistake 1: Incorrect Authentication Configuration

A common mistake is to incorrectly configure the **authentication** mechanism. For example, the following code is incorrect:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 // WRONG: using the wrong authentication mechanism
 auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
 }
}

This will result in an error message: `java.lang.IllegalArgumentException: password cannot be null`.

Mistake 2: Missing Authorization Configuration

Another common mistake is to forget to configure **authorization**. The correct code should look like this:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 // using BCryptPasswordEncoder to hash the password
 auth.inMemoryAuthentication().withUser("user").password(new BCryptPasswordEncoder().encode("password")).roles("USER");
 }

 @Override
 protected void configure(HttpSecurity http) throws Exception {
 http.authorizeRequests().antMatchers("/admin/**").hasRole("ADMIN")
 .antMatchers("/user/**").hasRole("USER")
 .and().formLogin();
 }
}

The expected output will be a successful login with the correct **authentication** and **authorization** configuration.

Login successful

For more information on **Spring Security** configuration, please refer to our Spring Security Architecture article. Additionally, you can learn more about **BCryptPasswordEncoder** in our Password Encoding article.

Production-Ready Tips for Spring Security Applications

When deploying a Spring Security application to production, it’s essential to consider security and performance. One key aspect is to ensure that sensitive data, such as database credentials, are not hardcoded in the application. Instead, use a PropertySource to load configuration from a secure location.
For more information on configuring Spring Boot applications, see our guide on Configuring Spring Boot Applications.

Production tip: Use a secure protocol, such as HTTPS, to encrypt communication between the client and server. This can be achieved by configuring an SSLContext in the application.

To further enhance security, implement a Web Application Firewall (WAF) to protect against common web attacks, such as SQL injection and cross-site scripting (XSS). This can be done using a library like spring-security-web.

Production tip: Regularly update dependencies, including Spring Security, to ensure you have the latest security patches and features. You can use tools like dependency-check to identify vulnerable dependencies.

Monitoring and logging are also crucial for maintaining a Spring Security application in production. Use a logging framework like Logback to configure logging levels and output. For more information on monitoring and logging, see our guide on Monitoring and Logging Spring Boot Applications.

Production tip: Implement a rate limiter to prevent brute-force attacks on authentication endpoints. This can be achieved using a library like spring-security-web and configuring a RateLimiter bean.

Testing Spring Security Applications

When developing **Spring Security** applications, it is crucial to write comprehensive tests to ensure the security configurations and components are working as expected. This involves writing both unit tests and integration tests. Unit tests focus on individual components, such as the UserDetailsService, while integration tests verify the interactions between multiple components.

To write unit tests for **Spring Security** components, you can use a testing framework like JUnit. For example, you can test the UserDetailsService to ensure it returns the correct user details.
Understanding the Spring Security architecture is essential before writing tests.

package com.example.security;

import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;

import static org.junit.Assert.assertNotNull;

@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(classes = SecurityConfig.class)
public class UserDetailsServiceTest {

 @Autowired
 private UserDetailsService userDetailsService;

 @Test
 public void testLoadUserByUsername() {
 // Load a user by username and verify the result is not null
 // This test ensures the UserDetailsService is working correctly
 String username = "testuser";
 Object user = userDetailsService.loadUserByUsername(username);
 assertNotNull(user);
 }
}

For integration tests, you can use the TestRestTemplate to simulate HTTP requests and verify the responses. This is particularly useful for testing **Spring Security** configurations, such as authentication and authorization. 

Expected output:
User details loaded successfully

To write integration tests, you can use the SpringBootTest annotation and the TestRestTemplate to send HTTP requests to your application.
For further reading on Spring Security authentication, you can visit our previous article. 

package com.example.security;

import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.test.web.client.TestRestTemplate;
import org.springframework.http.ResponseEntity;
import org.springframework.test.context.junit4.SpringRunner;

import static org.junit.Assert.assertNotNull;

@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
public class IntegrationTest {

 @Autowired
 private TestRestTemplate testRestTemplate;

 @Test
 public void testAuthenticatedRequest() {
 // Send an authenticated request and verify the response
 // This test ensures the authentication configuration is working correctly
 String url = "/authenticated-endpoint";
 ResponseEntity response = testRestTemplate.getForEntity(url, String.class);
 assertNotNull(response);
 }
}

Key Takeaways from the Spring Security Tutorial

The Spring Security framework provides a comprehensive set of tools for securing enterprise-level applications. By following this tutorial, developers have learned how to implement **authentication** and **authorization** using the SecurityContextHolder and SecurityContext classes. The UserDetailsService interface plays a crucial role in loading user data, which is then used to authenticate users. Understanding how to configure and use these components is essential for building secure applications.

Implementing **role-based access control** is a critical aspect of Spring Security, and developers have learned how to use the @RolesAllowed annotation to restrict access to certain methods and resources. Additionally, the MethodSecurityExpressionHandler class provides a way to define custom security expressions for more fine-grained access control. By mastering these concepts, developers can ensure that their applications are protected against unauthorized access.

For further reading on Spring Security architecture, developers can explore how the framework integrates with other Spring projects, such as Spring MVC and Spring Boot. Understanding the **security filter chain** and how it processes incoming requests is also vital for building secure applications. The FilterChainProxy class is responsible for managing the filter chain, and developers have learned how to configure and customize it to meet their specific needs.

Best practices, such as using **HTTPS** and **password hashing**, have also been covered in this tutorial. Developers have learned how to use the BCryptPasswordEncoder class to hash and verify passwords securely. By following these best practices and mastering the concepts and components of Spring Security, developers can build robust and secure applications that protect user data and prevent common web attacks.

Advanced Spring Security Topics

Once you have a solid grasp of the basics, you can explore advanced features of Spring Security, such as OAuth and JWT (JSON Web Tokens). OAuth is an authorization framework that allows users to grant third-party applications limited access to their resources on another service provider’s website, without sharing their login credentials. The AuthorizationServerConfigurer class is used to configure the OAuth authorization server. For more information on setting up OAuth, refer to our Spring Security OAuth 2 tutorial.

JWT is a compact, URL-safe means of representing claims to be transferred between two parties. The JwtTokenStore class is used to store and retrieve JWT tokens. To use JWT with Spring Security, you need to configure the TokenStore and the JwtAccessTokenConverter. This allows for stateless authentication, where the user’s details are verified using the JWT token.

Custom security implementations can also be achieved using Spring Security. You can create a custom UserDetailsService to load users from a database or other data source. Additionally, you can use the AbstractSecurityInterceptor class to create custom security interceptors. These interceptors can be used to perform custom authentication and authorization checks. By using these features, you can create a robust and scalable security system for your application.

When implementing custom security features, it’s essential to consider the security risks and take steps to mitigate them. This includes using secure protocols for communication, such as HTTPS, and protecting against common web attacks, such as SQL injection and cross-site scripting (XSS). For further reading on securing your application, see our guide on Spring Security best practices.

Troubleshooting Common Spring Security Issues

When developing a **Spring Security** application, debugging techniques are essential to identify and resolve common issues. One of the most effective ways to debug **Spring Security** applications is to enable **debug logging**. This can be achieved by setting the logging level to DEBUG for the org.springframework.security package. By doing so, you can gain insight into the security decision-making process and identify potential issues.

Enabling **debug logging** can help you troubleshoot issues related to **authentication** and **authorization**. For example, if you are experiencing issues with **form-based authentication**, you can use the UsernamePasswordAuthenticationFilter to debug the authentication process. Additionally, you can use the SecurityContextHolder to access the current **authentication** object and verify its contents.

To further troubleshoot common **Spring Security** issues, you can refer to our article on Spring Security Architecture to understand the underlying components and their interactions. This knowledge can help you identify potential bottlenecks and debug issues more effectively. By understanding the **security filter chain** and the role of each filter, you can better diagnose and resolve issues related to **CSRF protection** and **session management**.

When debugging **Spring Security** applications, it is also essential to understand the different types of **exceptions** that can occur. For example, a BadCredentialsException can be thrown when the user provides invalid credentials, while a LockedException can be thrown when the user account is locked due to excessive failed login attempts. By catching and handling these exceptions, you can provide a better user experience and improve the overall security of your application.

Read Next

Pillar Guide: Spring Security Tutorials Hub — explore the full learning path.

Source Code on GitHub
spring-security-examples — Clone, Star & Contribute

You Might Also Like

Spring Security JWT Authentication and Authorization Tutorial
Mastering Spring Security Testing with MockMvc and WithMockUser
Spring Security Multi Tenancy Authentication Tutorial 2026

Leave a Reply

Your email address will not be published. Required fields are marked *