Over a million developers have joined DZone.

Spring Security: Form-Based Authentication

DZone's Guide to

Spring Security: Form-Based Authentication

We go over the details of form-based authentication in the Java Spring Security framework, to help you ensure the security of your application.

· Security Zone
Free Resource

Discover how to protect your applications from known and unknown vulnerabilities.

In this post, we will use Spring security to handle form-based authentication. You can also read my previous posts on Basic Authentication and Digest Authentication.

Technologies/Frameworks Used

Spring Boot, Spring Security, Thymeleaf, AngularJS, Bootstrap

Adding Dependencies in pom.xml

In the example below, we will use Spring Boot, Spring Security, Undertow, and thymeleaf and will add their starters as shown.


Spring Security Configurations

We will extend the WebSecurityConfigurerAdapter class, which is a convenient base class to create WebSecurityConfigurer.

public class SecurityConfig extends WebSecurityConfigurerAdapter {
  protected void configure(HttpSecurity http) throws Exception {
            .antMatchers("/static/**", "/", "/index", "/bower_components/**").permitAll()

  public UserDetailsService userDetailsService() {
    InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
    return manager;

  SpringSecurityDialect securityDialect() {
    return new SpringSecurityDialect();

@EnableWebSecurity annotation enables Spring Security. We have overridden the configure method and configured the security. In the above code, we have disabled the csrf request support (it is enabled by default). We are authorizing all the requests to /index, /,/static folder and sub-folders, bower_components folder and its subfolder that is accessible without authentication, though all others should be authenticated. We are referring /login as our login page for authentication.

In the above code snippet, we are also registering the UserDetailsService. When we enable web-security in Spring, it expects a bean of type UserDetailsService which is used to get UserDetails. For the purpose of this example, I am using InMemoryUserDetailsManager, provided by the Spring.

MVC Configuration

public class MvcConfig extends WebMvcConfigurerAdapter {
  public void addViewControllers(ViewControllerRegistry registry) {

In the above configuration, we are registering several ViewControllers and setting their names. This is all configuration that we need to do to enable Spring Security. You can find the full working project, including the HTML files, on Github.

Find out how Waratek’s award-winning virtualization platform can improve your web application security, development and operations without false positives, code changes or slowing your application.

security ,spring secruity ,authenciation

Published at DZone with permission of Gaurav Rai Mazra, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.


Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.


{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}