A Minimal <http> Configuration

All you need to enable web security to begin with is

  <http auto-config='true'>

    <intercept-url pattern="/**" access="ROLE_USER" />

  </http>

You can use multiple <intercept-url> elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top.

To add some users, you can define a set of test data directly in the namespace:

  <authentication-provider>

    <user-service>

      <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />

      <user name="bob" password="bobspassword" authorities="ROLE_USER" />

    </user-service>

  </authentication-provider>

auto-config Requires a UserDetailsService

An error can occur when using auto-config without a UserDetailsService in your application context (for example, if you are using LDAP authentication). This is because remember-me is automatically enabled when auto-config="true" and it requires an authentication mechanism which uses a UserDetailsService to function (see the Remember-me chapter for more details). If you have an error caused by a missing UserDetailsService then try removing the auto-config setting (and any remember-me setting you might have).  For example,

  <authentication-provider user-service-ref='myUserDetailsService'/>

<beans:bean id="myUserDetailsService"

            class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">

              <beans:property name="dataSource" ref="dataSource"/>

  </beans:bean>

Concurrent Session Control

If you wish to place constraints on a single user's ability to log in to your application, Spring Security supports this out of the box with the following simple additions. First you need to add the following listener to your web.xml file to keep Spring Security updated about session lifecycle events:

<listener>

<listener-class>

     org.springframework.security.ui.session.HttpSessionEventPublisher

</listener-class>

</listener>

Then add the following line to your application context:    

  <http>

    ...

    <concurrent-session-control max-sessions="1" />

  </http>

Adding in Your Own Filters

Each Spring Security filter implements the Spring Ordered interface and the filters created by the namespace are sorted during initialization. The standard Spring Security filters each have an alias in the namespace. The filters, aliases and namespace elements/attributes which create the filters can be found at “Standard Filter Aliases and Ordering”.

Method Security

Adding an annotation to a method (on a class or interface) would then limit the access to that method accordingly. Spring Security's native annotation support defines a set of attributes for the method. These will be passed to the AccessDecisionManager for it to make the actual decision.

    @Secured("IS_AUTHENTICATED_ANONYMOUSLY")

    public Account readAccount(Long id);

The following example protects all methods on beans declared in the application context whose classes are in the com.mycompany package and whose class names end in "Service". Only users with the ROLE_USER role will be able to invoke these methods. As with URL matching, the most specific matches must come first in the list of pointcuts, as the first matching expression will be used

<global-method-security>

  <protect-pointcut expression="execution(*com.mycompany.*Service.*(..))" access="ROLE_USER"/>

</global-method-security>

Or, you can

<bean:bean id="target" class="com.mycompany.myapp.MyBean">

    <intercept-methods>

        <protect method="set*" access="ROLE_ADMIN" />

        <protect method="get*" access="ROLE_ADMIN,ROLE_USER" />

        <protect method="doSomething" access="ROLE_USER" />

    </intercept-methods>

</bean:bean>