The new Certification Class of Learn Spring Security is out:


Spring Security - Behind the Scenes

The Security with Spring Tutorial discusses how to introduce security into an MVC project, the Maven dependencies for Spring Security, Login and Logout and some more advanced topics. It also deals with Security for REST – how to Authenticate against a REST API and how to consume the API with RestTemplate.

1. >> The Registration Series

2. >> The Authentication Series

3. >> Core Spring Security


4. >> Spring Security with REST


>> Other Spring Tutorials

=> How to build REST Services with Spring

=> How to Build the Persistence Layer of an application with Spring and Hibernate, JPA, Spring Data, etc

=> Common Exceptions in Spring with examples – why they occur and how to solve them quickly


The entire tutorial in based on this github project. Watch and fork it at will – the project can be used as a starting point for a more full fledged implementation.

Go deeper into Spring Security with the course:


  • Beodeo Van den Schwarz

    great website! but could you check the link behind “Spring Security – security none… etc”? Seems to point at the wrong page.

  • Juan Mendoza

    Hi Euge,

    I read the book “REST services withspring”, and it’s very good to start with the concept of spring security, but I don’t found how did the autentication that I want, maybe you can give me some advice.

    I want that the first time that the user try to use some API that needed autentication, it should send the user and password and the aplication goes to deliver to they a token. After that, always that the user use some other operation (API), it needed send to the aplication the token that was delivered with the initial response.

    ¿Exist some feature of autentication that I can use to do that?

    Thanks Eugen!

    • Hey Juan,

      There are a few things to keep in mind here. What you are describing is exactly the concept of the cookie – which is the standard way to handle authentication for a standard web application.

      Now – if you are securing a REST Service (as opposed to – the standard Spring MVC web app), then it depends how much you care about the RESTful nature of your solution.

      If you want to be RESTful – then the cookie solution will not do well – because you will be relying on the STATE of the server, whereas for REST – the server should be entirelly stateless. So – in this case, the client should send the credentials ON EVERY REQUEST – not just on the first request. I have implemented several services like this – so this is not a purely academic constraint – this works perfectly well in practice.

      Now – if you are not really looking to build a REST service – and are looking to only build an API over HTTP – only partly adhering to the architectural set of constraints that REST proposes (which is not a bad thing as long as you understand the architectural choice you’re making) – then you can look at one of my articles – describing how to set this up exactly.
      Hope this helps.

      • Juan Mendoza

        Thank Euge,

        That article show me how configure the behavior to work with the cookie,but in fact i was looking for the way to do mi API as RESTfull, because the use of cookie in movile aplication, in some occasion maybe can be dificult. In this way if I send the tooken to the client, and this send me it I don’t need use a cookie.

        independently of this, do you know some way to do that?, of maybe is necesary make a my own AutenticationManager?


        • So – how is the token you’re thinking of any different than a cookie? As far as I can see – the token is the cookie. Now – sure, you can do a custom token if you would like to – and yes, in that case you will have to get a bit deeper into the Spring Security configuration – but why reinvent the cookie mechanism?

  • sonoerin

    Thank you for the great tutorials Eugen, they really help me understand these topics better. I wonder if you consider putting a Spring Security tutorial for using custom roles? For example, instead of USER & ADMIN, what if I wanted a hierarchical approach with customer roles like this (top-down): ADMIN, OWNER, MANAGER, RECEPTIONIST, VISITOR.

    I have seen old Spring Security code snippets about custom role names. But I have yet to see one that shows from configuration, to database seeding, to authentication.

    Thanks again for the great help you provide.

    • Hey Sonoerin – yes, a more complex Role-Privilege model is actually implemented in my REST project on github. Thanks for the suggestion, I might write about that sometime soon. Cheers,

  • Enma

    nice tutorial Eugen..but i wonder perhpas u got project on github about dynamic url for spring security..

  • joxers

    how to create user management UI ?

    • Hey Joxers,
      That’s something I do have on my TODO list to write about, but it may be further out, perhaps a couple of months. Cheers,

  • Cal L F

    Hello Eugen, Will you be doing any OAuth2 integration tutorials where you secure your REST API using an OAuth2 authorization server. That would be amazing. Great work so far!

  • Pawel

    Hi Eugen, I’m working with your Packt video course Spring Security. I like the way you teach. I watched most of videos and now I would like to run some examples. For some reason I can’t run any of them. Im out of ideas whay may be wrong . Could you please look at the stack and maybe give me some advice?

    2015-10-14 09:43:59,693 [localhost-startStop-1] INFO o.s.w.c.s.AnnotationConfigWebApplicationContext – Found 1 annotated classes in package [com.packt.springsecurity.backend.spring]

    2015-10-14 09:43:59,775 [localhost-startStop-1] INFO o.s.c.a.ClassPathBeanDefinitionScanner – JSR-250 ‘javax.annotation.ManagedBean’ found and supported for component scanning

    2015-10-14 09:43:59,785 [localhost-startStop-1] ERROR o.s.web.context.ContextLoader – Context initialization failed

    java.lang.IllegalArgumentException: null

    at org.springframework.asm.ClassReader.(Unknown Source) ~[spring-core-3.2.0.RELEASE.jar:3.2.0.RELEASE]

    at org.springframework.asm.ClassReader.(Unknown Source) ~[spring-core-3.2.0.RELEASE.jar:3.2.0.RELEASE]

    at org.springframework.asm.ClassReader.(Unknown Source) ~[spring-core-3.2.0.RELEASE.jar:3.2.0.RELEASE]

    at org.springframework.core.type.classreading.SimpleMetadataReader.( ~[spring-core-3.2.0.RELEASE.jar:3.2.0.RELEASE]

    at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader( ~[spring-core-3.2.0.RELEASE.jar:3.2.0.RELEASE]

    at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader( ~[spring-core-3.2.0.RELEASE.jar:3.2.0.RELEASE]

    at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader( ~[spring-core-3.2.0.RELEASE.jar:3.2.0.RELEASE]

    • Hey Pawel – glad you’re learning from the course. Two quick notes here. First – can you please open up an issue over on the Github project for the course – and add the full stack trace. That’s going to help me really see what the issue is. Second – can you edit your previous comment and remove the code? It makes the comment very heavyweight but because it’s not the full stack – it doesn’t help to much. Cheers,

  • kenji

    Hi Eugen,

    I’m looking to start a new project, do you thing it’s a good idea to choose spring-boot?

    • Hey Kenji – without any other info, the very simplistic answer here is yes. Spring Boot is definitely very nice, especially if you already have Spring experience, so my blanket answer here is, yes, go for it.

  • Rubén Pahíno Verdugo

    Hi Eugen,

    I’m afraid that’s beyond the scope of these series but I’m facing some trouble trying to understand how own credentials can mix up with third party access. I have no idea how to let my users register both with Facebook/Google and using my own registration server such as the one that we are creating in these series. How can I let them:

    1) register with Facebook/Google
    2) connect their application accounts with their own Facebook/Google ones after they have registered

    I’ve being thinking about it for a long time and have some ideas, but none o them seem “too much professional”. I would thank you if you could bring some light to this with any documentation you know, example projects or something. I’m trying to focus on OpenID Connect implementing my own provider with MITREid Connect project, but I dont’ know if it’s the documentation, me or my english, but I’m no being able to understand it deeply enough.

    Thank you,

    • Hey Ruben – that’s an interesting scenario.
      First, let’s clarify the “register with G/F” point – that’s a hybrid registration and I’ve only implemented it once, entirely manually, in a client engagement. I could add it to the content calendar of the site – but it’s such a specific and focused usecase that I’m really not sure it would help a lot of people and worth the effort of doing a full writeup about it.
      Two quick suggestions. First – have a look at Spring Social – that’s going to help you abstract some of the OAuth2 details away and allow you to set up a login (not exactly a hybrid registration, but it’s a good place to start).
      Second – try to decompose your problem into separate questions and post them on StackOverflow along with a simple but runnable project that reproduces each issue.
      Hope that helps. Cheers,

  • nisha

    Thanks for sharing this one

  • ETheG


    I wonder if your master class will cover our usecase:

    We need some help figuring out how to set up our Security for our microservices.
    We have an ADFS server capable of creating JWT tokens.
    We have a GUI application that should be doing Authentication and Authorization against the ADFS server using Spring Security.

    Also the GUI application communicates with REST api´s that should be secured with JWT tokens.
    So from what i understand we need Spring Security (in the GUI application) to Authenticate against ADFS and fetch some JWT token. Then read the JWT token to see what claims and roles the user has to be used for autorization in the gui app.

    And then then attach this JWT token to every REST api request.
    In the REST api`s we will also need Spring Security set up to read and validate the JWT tokens.

    Do I understand approximatly how this should work?
    And does your classes cover this?

    • Hey Erik,
      That’s an interesting architecture.
      Let’s start with a question – are you looking to do OAuth, or simply make use of JWT tokens with no reference to OAuth? Either way is fine of course, just note that – while Spring Security has solid OAuth support, if you’re rolling your own solution, you will have to do a bit more manual implementation.
      Now, let’s come back to the question you have about the course. The answer is, mostly no – at least not directly. I do cover most of the infrastructure you’ll need to do the implementation, but there’s no lesson that actually shows you how to implement this exact architecture of course.
      Finally – in your GUI – it depends on how much security functionality you need. For example, if you really just need to retrieve the token and then make use of it when consuming the API, you may not need Spring Security at all. You will naturally need it in the API.
      Hope that gives you some clarity.

      • ETheG

        Hi Eugen and thanks for the quick reply.
        Yes im looking at doing Oauth2. Also, in the GUI, we need the regular bunch of security functionality. I was hoping we could extract AD groups from the JWT token and then convert them to Spring Roles and authorize the “normal” way in the GUI.
        Basicly what i need is some pointers and hints/tips/examples on how to proceed. I dont mind spending if you have some courses or stuff that will help or other suggestions.


        • That makes sense.
          First, yes, you should be fully able to have the groups in the token and then extract them – have a look at the TokenEnhancer for adding extra info in the token.

          Now, when it comes to examples on how to proceed – again – you have a very custom scenario. You’ll find building blocks on how to proceed in the course, yes. But there’s no end to end example of exactly what your specific architecture.

  • Sunil NG

    Hello Thanks for the wonderfull article !!I am actually working on signup applications with multiple flows !!

    Our front is angular and Backend is Apache camel routes. For securing the flows we are using spring security.

    1. We need to create a session when the user goes to second page of signup screen, Also do time out if user is there in second screen for long time
    2. We need to store the data entered by user in the first page in to https session, and might fetch it in to 3 or consecutive pages
    3. Since it is pre login application i basically need to understand the session management (Which include creation, Maintenance and termination )
    4. Also is it possible for us to add the role as visitor until he signup and change to role to user ? Basically i am checking to have a customized roles

    Please guide me how to go with this !! Since it is prelogin applications i am not able to judge on the data concepts being shared in this lesson

    • Hey Sunil,
      I’m glad you enjoyed the writeup.
      It sounds like you’re implementing quite an advanced solution here, and I’m not sure exactly how you’d like me to help. The scenario is a bit to complex to cover in an article, and I don’t do consulting work.

      My suggestion is to decompose what you’re trying to do and implement a simpler version of your full requirements first. Then move towards the full system, and if you get stuck, ask very specific, fine-grained questions.

      Generally, if you ask “how do I implement this whole thing” – you won’t any good answers.
      Hope that helps. Best of luck with it.

  • Srikanth Machavaram

    Hello Eugen Paraschiv

    Any one in the google and any website is saying Spring-Security with SINGLE Login page in a sample project, I need two custom login pages in a project like for admin & normal user, please tell how to use 2 custom login pages in a Project.

    Thanks and Regards
    Srikanth Machavaram

    • Hey Srikanth – that’s an interesting scenario. I haven’t written about it here it – I’m adding it to the content calendar, so keep an eye on the feed over the next couple of months.

  • Ville

    Hi, what is the complete total duration of all the spring security master class videos? Thanks!

    • Hey Ville,
      Right now it’s a bit over 10 hours, and after I finish all the planned bonus lessons, it’s going to sit somewhere around 12.
      Hope that helps. Cheers,