In the tutorial below we will look at a basic integration of a Java web application with Spring Security 3. In this particular scenario we’ll be integrating Spring Security with existing web application that uses Struts & Spring. However, similar steps can be applied to any other web framework you may be using. We will also look at one of the core concepts Spring Security – AccessDecisionManager.

Basic integration

We will start with an application that has no security implemented. I’ve used this setup as my base. It already uses maven, so the first thing we do is to add a new repository:

			<name>Spring Security</name>

and bunch of new JARs:


Spring Security is implemented as a filter – it can be plugged into the application without any changes. A request will be intercepted by DelegatingFilterProxy and authentication will take place, as defined in Spring security XML file. We will add filter to the top of web.xml and trigger it for all URLs (url pattern set to /*).


For the very basic integration, Spring Security will require only little configuration that we’ll put into security.xml file.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns=""
	xmlns:xsi="" xmlns:beans=""
	<http auto-config="true">
		<intercept-url pattern="/*" access="ROLE_USER" />
	<authentication-manager alias="authenticationManager">
				<user authorities="ROLE_USER" name="guest" password="test" />

We are defining here that access to any resource (intercept-url pattern=”/*”) should be allowed only for users that have authority called ROLE_USER. Normally user credentials will need to be stored in a central place – typically a database or LDAP server. Above we are hard-coding an authentication-provider with one user (guest/test) that has authority ROLE_USER.

Finally, we need to tell Spring about security.xml. Since our application already uses Spring, we have defined in web.xml contextConfigLocation parameter already – it points to our beans definition (applicationContext.xml). We will add security.xml in the same place:


When we build the application now, any URL should automatically generate following login page:


Access decision manager

Spring Security deals (or helps you deal with) two security concepts: first authentication and then authorization. Authentication filters are run first – they will make sure that a user is who he says he is. This is usually done by checking user credentials, e.g., username and password). Let’s skip authentication step for now and talk about authorization. Authorization takes care of deciding if authenticated user (meaning that authentication must precede authorization) should be allowed to access a resource.

Spring Security supports authorization with the help of AccessDecisionManager interface. AccessDecisionManagers in turn will use one or more AccessDecisionVoters. Each voter will make the decision about granting or denying the access for given user to given resource. Access decision manager will aggregate the votes and issue final decision. Voters can return: ACCESS_GRANTED,ACCESS_DENIED but also ACCESS_ABSTAIN if a voter can’t or doesn’t want to make a decision. Managers must make the final decision – user is either granted access or not. The “not granting the access” part is done by throwing an exception – usually AccessDeniedException. In the default configuration that we’ve created, Spring uses implementation of AccessDecisionManager called AffirmativeBased. It will grant the access if any voter returns ACCESS_GRANTED. The default voters are

  • RoleVoter – checks GrantedAuthority (remember user tag with authorities=”ROLE_USER”) against ConfigAttribute (that comes from intercept-url pattern=”/*” access=”ROLE_USER”)
  • AuthenticatedVoter – can check if user IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED or IS_AUTHENTICATED_ANONYMOUSLY. This is not used in our setup

We can see authorization in working when we enable higher logging level – simply add to log4j properties:, console

When we try to access protected page as anonymous user, among other messages we can see following entries, with AccessDeniedException thrown at the end. RoleVoter returns ACCESS_DENIED and AuthenticatedVoter returns ACCESS_ABSTAIN.

 DEBUG | 2011-07-10 12:40:30,473 | | decide | 53 | Voter:, returned: -1
 DEBUG | 2011-07-10 12:40:30,474 | | decide | 53 | Voter:, returned: 0
 DEBUG | 2011-07-10 12:40:30,478 | | handleException | 153 | Access is denied (user is anonymous); redirecting to authentication entry point Access is denied

Compare it with the log after we provide correct credentials. This time RoleVoter returns ACCESS_GRANTED and as soon as it happens, AffirmativeBased access decision manager stops querying voters and allows for access:

  DEBUG | 2011-07-10 12:43:33,468 | | decide | 53 | Voter:, returned: 1
 DEBUG | 2011-07-10 12:43:33,469 | | beforeInvocation | 213 | Authorization successful

There are other implementations of AccessDecisionManagers and AccessDecisionVoters but I think we will leave them for another time. Stay tuned!

Here is a full source code for the example above. Run it with:

mvn jetty:run