Simple web application with Spring Security: Specification

User Story 1: A user that is not logged in should be forced to authenticate themselves through a login form when they visit a secure page.

NOTE: An application specific login page should be used to enable authentication.

User Story 2: With a valid username/password a user should be able to log in and view the application home page.

Note: Users that have an admin role should be automatically brought to the admin page by default.

User Story 4: Users that visit the root URL should be directed straight to the application home page

User Story 5: Users that fail authentication should be presented with the login page and a reason for the failure.

Note: The username used to login should remain present on the form.

Note: When the failure is because the username does not exist then this should be made clear in the failure message.

User Story 6: When a user is directed to login page, the user should be directed to that page they tried to reach previously.

User Story 7: Create common navigation that all secure pages will contain.
Note: There will be links to home, admin pages and a logout link

User Story 8: Add support for users to logout. When a user logs out they should go back to the login page. A message should inform the user that they have successfully logged out

User Story 9: A user should be only able to log on to the application once. Concurrent sessions should not be allowed. Inform user when login fails due to concurrent login problem.

1 All JSP pages should not be directly accessible from browser url (except login and index)
– we do this by keeping all our JSP pages under the WEB-INF folder which is not accessible to public
2 All pages on site (except login page) will require users to be authenticated
3 Prevent possible session-fixation attacks

common page elements

User Story 7: Create common navigation that all secure pages will contain.
Note: There will be links to home, admin pages and a logout link.
Note: only admin users should see the admin link on the common navigation.

User Story 10: A common information bar should exist on all secure pages that displays whether the user is logged in or not.

Home page

Admin page


10 Responses to “Simple web application with Spring Security: Specification”

  1. Alessandro Says:

    Great tutorial. Where can i find source code? Thanks…

  2. heraclitusonsoftware Says:

    Thanks Alessandro. I have been updating the code all the way through. What I think I will do is put the code onto google code project and create a tag for each part in the series for the change in code. I will the update series pages with this information when its ready.

  3. Khalid Says:

    Just wanted to say.. THANK YOU for this excellent series.. I cant wait for you to finish… I found this blog at the right time.. saved me hours of frustration. I have used acegi security before… which provided excellent documentation. While Spring security is more concise and more logical, it’s lack of detailed documentation is extremely frustrating.
    I am implementing a solution using ldap.. using your config as a reference, I got it to work !!
    Thank you again.. look forward to your next blog in the series..

    • heraclitusonsoftware Says:


      Thanks for your comments. I am not sure it will ever finish :), So many things to explore.
      As always, if you wish the series to try and discuss anything in particular leave a comment and I’ll do my best to get round to it.


  4. KhoaTran Says:

    Thank you. It’s very useful for me. I am working with this.

  5. Nisha Says:


    i need a simple authentication program in spring security 3.0.

    could u please help me .


  6. rj Says:

    I need the source code for the same requirements as mentioned by you in this blog.
    Simple web application with Spring Security

    Can you please help.

  7. Deepak Kumar Says:

    Thanks for such good blog.
    Please let me know if you have written such blog for integrating Alfresco with Spring MVC.I have to implement this part into my project and i am looking for same kinda blog(Step by Step)
    It will be really helpful if you can point me something (of same kind) on Alfresco-Spring part.

  8. Raffaele Terribile Says:

    A wonderful example of Test Driven Development!

  9. site Says:

    Have you considered including several social bookmarking links to these blogs. At least for youtube.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: