Spring Security - Configuring HttpSecurity

[Updated: Aug 25, 2017, Created: Jul 28, 2017]

This example demonstrates how to customize authorization configuration.

By default following configuration is setup in the WebSecurityConfigurerAdapter class which grants authenticated users (all roles) to access all URLs.

public abstract class WebSecurityConfigurerAdapter implements ....{
  protected void configure(HttpSecurity http) throws Exception {

Let's see how to customize above settings by overriding the configure() method:

Java Config class

public class AppConfig extends WebSecurityConfigurerAdapter {

  protected void configure(HttpSecurity http) throws Exception {
          .antMatchers("/users/**").hasRole("USER")//USER role can access /users/**
          .antMatchers("/admin/**").hasRole("ADMIN")//ADMIN role can access /admin/**
          .antMatchers("/quests/**").permitAll()// anyone can access /quests/**
          .anyRequest().authenticated()//any other request just need authentication
          .formLogin();//enable form login


  public void configure(AuthenticationManagerBuilder builder)
          throws Exception {

  public ViewResolver viewResolver() {
      InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
      return viewResolver;

The Controller

public class MyController {

  public String handleRequest2(HttpServletRequest request, Model model) {
      Authentication auth = SecurityContextHolder.getContext()
      model.addAttribute("uri", request.getRequestURI())
           .addAttribute("user", auth.getName())
           .addAttribute("roles", auth.getAuthorities());
      return "my-page";

The JSP page


<%@ taglib prefix="c" uri=""%>
<html lang="en">
 <p>URI: ${uri} <br/>
 User :  ${user} <br/>
 roles:  ${roles} <br/><br/>
 <a href="/admin/">/admin/</a><br/>
 <a href="/users/">/users/</a><br/>
 <a href="/others/">/others/</a><br/>
 <a href="/quests/">/quests/</a><br/><br/>
 <form action="/logout" method="post">
     <input type="hidden"
  <input type="submit" value="Logout">

According to above configurations and as links placed in the JSP page:
'tim' can access '/admin/**', '/others/**' and '/quests/**'.
'joe' can access '/users/**', '/others/**' and '/quests/**'
A logged out user can only access '/quests/**'.

To try examples, run embedded tomcat (configured in pom.xml of example project below):

mvn tomcat7:run-war


Example Project

Dependencies and Technologies Used:

  • spring-security-web 4.2.3.RELEASE: spring-security-web.
  • spring-security-config 4.2.3.RELEASE: spring-security-config.
  • spring-webmvc 4.3.9.RELEASE: Spring Web MVC.
  • javax.servlet-api 3.1.0 Java Servlet API
  • jstl 1.2 javax.servlet:jstl
  • JDK 1.8
  • Maven 3.3.9

Customizing Authorization Configuration Select All Download
  • authorize-configuration
    • src
      • main
        • java
          • com
            • logicbig
              • example
        • webapp
          • WEB-INF
            • views

See Also