How to Configure Spring Security: Simple Setup Guide
To configure
Spring Security, create a Java class annotated with @Configuration and @EnableWebSecurity, then define a SecurityFilterChain bean to specify security rules. Use HttpSecurity to specify URL access, authentication, and login settings.Syntax
Spring Security configuration uses Java classes with annotations and methods to define security rules.
@Configuration: Marks the class as a configuration provider.@EnableWebSecurity: Enables Spring Security features.SecurityFilterChainbean: Defines the security filter chain and rules.HttpSecurity: Used inside the bean to configure URL access, login, logout, and more.
java
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.SecurityFilterChain; import static org.springframework.security.config.Customizer.withDefaults; @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .anyRequest().authenticated() ) .formLogin(withDefaults()); return http.build(); } }
Example
This example shows a simple Spring Security setup that allows public access to URLs under /public/** and requires login for all other URLs. It uses form-based login.
java
package com.example.securitydemo; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.SecurityFilterChain; import static org.springframework.security.config.Customizer.withDefaults; @SpringBootApplication public class SecurityDemoApplication { public static void main(String[] args) { SpringApplication.run(SecurityDemoApplication.class, args); } } @Configuration @EnableWebSecurity class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .anyRequest().authenticated() ) .formLogin(withDefaults()); return http.build(); } }
Output
When running the application, accessing URLs like /public/info will be allowed without login, but accessing /user/profile will redirect to a login page.
Common Pitfalls
- Forgetting to add
@EnableWebSecuritycauses security configuration to be ignored. - Using deprecated
WebSecurityConfigurerAdapterinstead ofSecurityFilterChainbean in Spring Security 6+. - Not specifying
permitAll()for public URLs blocks access unexpectedly. - Misconfiguring URL patterns can lock users out or leave endpoints unprotected.
java
/* Wrong: Using deprecated WebSecurityConfigurerAdapter (legacy) */ //@Configuration //@EnableWebSecurity //public class SecurityConfig extends WebSecurityConfigurerAdapter { // @Override // protected void configure(HttpSecurity http) throws Exception { // http.authorizeRequests() // .antMatchers("/public/**").permitAll() // .anyRequest().authenticated() // .and() // .formLogin(); // } //} /* Right: Use SecurityFilterChain bean instead */ import static org.springframework.security.config.Customizer.withDefaults; @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth .requestMatchers("/public/**").permitAll() .anyRequest().authenticated() ) .formLogin(withDefaults()); return http.build(); } }
Quick Reference
Key methods and annotations for Spring Security configuration:
| Feature | Description |
|---|---|
| @Configuration | Marks a class as a source of bean definitions. |
| @EnableWebSecurity | Enables Spring Security's web security support. |
| SecurityFilterChain bean | Defines the security filter chain and rules. |
| HttpSecurity.authorizeHttpRequests() | Configures URL authorization rules. |
| permitAll() | Allows unrestricted access to specified URLs. |
| authenticated() | Requires authentication for access. |
| formLogin() | Enables form-based login page. |
Key Takeaways
Use a @Configuration class with @EnableWebSecurity to set up Spring Security.
Define a SecurityFilterChain bean to configure HTTP security rules with HttpSecurity.
Permit public URLs explicitly using permitAll() to avoid accidental blocking.
Avoid deprecated WebSecurityConfigurerAdapter; prefer SecurityFilterChain bean in Spring Security 6+.
Test URL access to ensure correct protection and login behavior.