Spring 4 Security MVC Login Logout Example

Filed Under: Spring
Spring Mvc Security

Today we will learn about Spring Security Login Example. Before reading this post, please go through my previous post at “Introduction to Spring 4 Security” to get some basics.

Spring Security Login Logout Example

In this post, we are going to develop Spring 4 MVC Security Web Application to provide Login and Logout features by using In-Memory option. This example uses Spring Java Config with Spring Annotations, that means without using web.xml and Spring XML Configuration(Old Style).

If you are not familiar with Spring 3.x Security Module, please go through the following posts first to taste the Spring Security Recipe.

  1. Spring MVC Security Example using in-memory, UserDetailsService and JDBC Authentication
  2. Spring Security in Servlet Web Application using DAO, JDBC, In-Memory authentication

Spring 4 Security Module supports the following options to store and manage User Credentials:

  1. In-Memory Store
  2. Relations Databases(RDBMS)
  3. No SQL Data Stores
  4. LDAP

We will use “In-Memory Store” option in this example. We will discuss other options in my coming posts.

We are going to use Spring 4.0.2.RELEASE, Spring STS 3.7 Suite IDE, Spring TC Server 3.1 with Java 1.8 and Maven build tool to develop this example.

Spring Security Login Example

We are going to develop a Login and Logout logic using Spring 4 Security Features. The main aim of this application is that developing an application without using “web.xml” and without writing a single line of Spring XML Beans Configuration. That means we are going to use Spring Java Config feature with Spring Annotations.

We will develop this application with the following features:

  1. Welcome Page
  2. Login Page
  3. Home Page
  4. Logout Feature

Please use the following steps to develop and explore this Spring 4 Security Simple Login Example.

  • Create a “Simple Spring Web Maven” Project in Spring STS Suite with the following details
       Project Name : SpringMVCSecruityMavenApp
  • Update pom.xml with the following content
    <?xml version="1.0" encoding="UTF-8"?>

    If you are not aware of “<failOnMissingWebXml>” flag, please read at the end of this post to get a good understanding of this element usage.

  • First, Develop Login Controller by using Spring’s @Controller annotation.
  • LoginController.java

    package com.journaldev.spring.web.controller;
    import org.springframework.stereotype.Controller;
    import org.springframework.web.bind.annotation.RequestMapping;
    import org.springframework.web.bind.annotation.RequestMethod;
    import org.springframework.web.bind.annotation.RequestParam;
    import org.springframework.web.servlet.ModelAndView;
    public class LoginController {
    	@RequestMapping(value = { "/"}, method = RequestMethod.GET)
    	public ModelAndView welcomePage() {
    		ModelAndView model = new ModelAndView();
    		return model;
    	@RequestMapping(value = { "/homePage"}, method = RequestMethod.GET)
    	public ModelAndView homePage() {
    		ModelAndView model = new ModelAndView();
    		return model;
    	@RequestMapping(value = "/loginPage", method = RequestMethod.GET)
    	public ModelAndView loginPage(@RequestParam(value = "error",required = false) String error,
    	@RequestParam(value = "logout",	required = false) String logout) {
    		ModelAndView model = new ModelAndView();
    		if (error != null) {
    			model.addObject("error", "Invalid Credentials provided.");
    		if (logout != null) {
    			model.addObject("message", "Logged out from JournalDEV successfully.");
    		return model;

    Code Explanation:-
    We have defined three methods in “LoginController” to handle three different kinds of Client Requests

    1. welcomePage() will handle all client requests which are using “/” URI.
    2. homePage() will handle all client requests which are using “/homePage” URI.
    3. loginPage() will handle all client requests which are using “/loginPage” URI.
    4. In loginPage(), we have take care of handling error and logout messages.
  • Then develop a class “LoginSecurityConfig” to provide Login and Logout Security Features using Spring 4 Security API.
  • LoginSecurityConfig.java

    package com.journaldev.spring.secuity.config;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    public class LoginSecurityConfig extends WebSecurityConfigurerAdapter {
    	public void configureGlobal(AuthenticationManagerBuilder authenticationMgr) throws Exception {
    	protected void configure(HttpSecurity http) throws Exception {

    Code Explanation:-
    We have defined two methods in “LoginSecurityConfig” to store and manage User Credentials and take care of Login and Logout Security features.

    1. @EnableWebSecurity Annotation is used to enable web security in any web application.
    2. @EnableWebMVCSecurity Annotation is used to enable web security in Spring MVC based web application.
    3. NOTE:-
      @EnableWebSecurity = @EnableWebMVCSecurity + Extra features.
      That’s why @EnableWebMVCSecurity Annotation is deprecated in Spring 4.x Framework.

    4. “LoginSecurityConfig” class or any class which is designated to configure Spring Security, should extend “WebSecurityConfigurerAdapter” class or implement related interface.
    5. configureGlobal() method is used to store and mange User Credentials.
    6. In configureGlobal() method, we can use authorities() method to define our application Roles like “ROLE_USER”. We can also use roles() method for same purpose.
    7. Difference between authorities() and roles() methods:
    8. authorities() needs a complete role name like “ROLE_USER”
      roles() needs a role name like “USER”. It will automatically add “ROLE_” value to this “USER” role name.

      NOTE:- We will develop another example to demonstrate Roles like “USER”,”ADMIN” in my coming posts.

    9. Important method to take care of Login and Logout Security is configure(HttpSecurity http)
    10. The following code snipped is used to avoid unauthorized access to “/homePage”. If you try to access this page directly, we will redirected to “/loginPage” page automatically.

      If we remove access(“hasRole(‘ROLE_USER’)”) method call, then we can access this page without login to our application.

    12. We have configured login and logout features using formLogin() and logout() methods.
  • Enable Spring MVC Configuration
  • LoginApplicationConfig.java

    package com.journaldev.spring.secuity.config;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.ComponentScan;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.context.annotation.Import;
    import org.springframework.web.servlet.config.annotation.EnableWebMvc;
    import org.springframework.web.servlet.view.InternalResourceViewResolver;
    import org.springframework.web.servlet.view.JstlView;
    @ComponentScan({ "com.journaldev.spring.*" })
    @Import(value = { LoginSecurityConfig.class })
    public class LoginApplicationConfig {
    	public InternalResourceViewResolver viewResolver() {
    		InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
    		return viewResolver;

    Code Explanation:-
    We use “LoginApplicationConfig” class to define Spring MVC View Resolvers to avoid writing “web.xml” file.

    1. @EnableWebMvc Annotation is used to enable Spring Web MVC Application Features in Spring Framework
    2. @Import Annotation is used to import Spring Security Configuration class into this class.
    3. @ComponentScan Annotation is used to do component scanning in the specified package. It is equal to “<context:component-scan>” in Spring XML Configuration.
  • Initialize Spring Security
    package com.journaldev.spring.secuity.config.core;
    import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
    public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {

    “SpringSecurityInitializer” is used to register the DelegatingFilterProxy to use the springSecurityFilterChain. It avoids writing Filters configuration in web.xml file.

  • Initialize Spring MVC Application
  • “SpringMVCWebAppInitializer” class is used to initialize “DispatcherServlet” without web.xml file in a Annotation based configuration.


    package com.journaldev.spring.secuity.config.core;
    import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
    import com.journaldev.spring.secuity.config.LoginApplicationConfig;
    public class SpringMVCWebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
    	protected Class<?>[] getRootConfigClasses() {
    		return new Class[] { LoginApplicationConfig.class };
    	protected Class<?>[] getServletConfigClasses() {
    		return null;
    	protected String[] getServletMappings() {
    		return new String[] { "/" };


    1. When we access our application, by default SpringMVCWebAppInitializer’s getServletMappings() will allow to access root url: “/”. We can override to forward to a different URL.
    2. The Spring or Pivotal team is working this issue to avoid this much Java code by introduction an annotation. Please check this at https://jira.spring.io/browse/SPR-10359.
  • Develop welcomePage.jsp file
    <h3>Welcome to JournalDEV Tutorials</h3>
    <a href="${pageContext.request.contextPath}/loginPage">Login to Journal</a>
  • Develop loginPage.jsp file
    <%@ taglib prefix="c" uri="https://java.sun.com/jsp/jstl/core"%>
    <body onload='document.loginForm.username.focus();'>
    	<h3>JournalDEV Tutorials</h3>
    	<c:if test="${not empty error}"><div>${error}</div></c:if>
    	<c:if test="${not empty message}"><div>${message}</div></c:if>
    	<form name='login' action="<c:url value='/loginPage' />" method='POST'>
    				<td><input type='text' name='username' value=''></td>
    				<td><input type='password' name='password' /></td>
    				<td colspan='2'><input name="submit" type="submit" value="submit" /></td>
    		<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
  • Develop homepage.jsp file
    <%@taglib prefix="c" uri="https://java.sun.com/jsp/jstl/core"%>
    <h3>Welcome to JournalDEV Tutorials</h3>
    	<li>Java 8 tutorial</li>
    	<li>Spring tutorial</li>
    	<li>Gradle tutorial</li>
    	<li>BigData tutorial</li>
    <c:url value="/logout" var="logoutUrl" />
    <form id="logout" action="${logoutUrl}" method="post" >
      <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
    <c:if test="${pageContext.request.userPrincipal.name != null}">
    	<a href="javascript:document.getElementById('logout').submit()">Logout</a>
  • Final Project Structure looks like this:
  • spring security login logout example

Run Spring Security MVC Login Logout Example

To run this Spring Web Application, we need any Web Container which supports Spring 4 and Java 8 Environments With Servlet 3.1.0 Container.

  • Deploy and Run on Spring TC Server in Spring STS Suite
  • It automatically access our application welcome page url as shown below.
  • spring security login example

  • click on “Login to JournalDEV” link to access login page.
  • spring 4 mvc security login logout example

  • Now, provide wrong login details and click on “Login” button.
  • spring security login logout

    Here we can observe this error message: “Invalid Credentials provided.”

  • Now, provide correct login details configured in “LoginSecurityConfig” class.
  • spring 4 security login

    After successful login to our application, we can see our Application Homepage with the “Logout” link.

  • click on “Logout” link to logout from Application.
  • spring security logout example

    Here we can observe that we are Logged out from our application successfully and redirected to Login page again.

    We can observe some Log out successful message in this Login page.

If we observe this example, we are not using the web.xml file right. As it is a Web Application, Maven searches for web.xml file and raises some errors if it does not find in the application. That’s to avoid Maven related issues, we need to configure “<failOnMissingWebXml>” flag in pom.xml file.

That’s it all about Spring 4 Security Module Simple Example. We will develop some more real-time useful examples in my coming posts like Managing Roles, Remember-Me Feature, WebSocket Security, and more.

Please drop me a comment if you like my post or have any issues/suggestions.


  1. vu says:

    Thank so much ! Keep doing

  2. Devdyuti singh says:

    Hi Pankaj,

    Thanks for writing this article, This is a very simple and acute example to understand the Spring security

    I followed your steps to implement Spring security in one of my existing tutorial project. But I am getting some issues while going to deploy .war file. Could you please check the issue, what it is exactly. I googled it but I couldn’t find the expected result.

    Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method ‘springSecurityFilterChain’ threw exception; nested exception is java.lang.NoSuchMethodError: org.springframework.util.Assert.isTrue(ZLjava/util/function/Supplier;)V

  3. Akash says:

    Thank You so much. very proper and step by step description gave. Please we want managing different user roles example

  4. Sumit Sood says:

    Is it possible to use hashed password instead of plain text in LoginSecurityConfig class, so no one easily guess it?

  5. Rajesh Gupta says:

    Please help! I am getting following problem:

    Nov 20, 2017 4:19:02 PM org.springframework.web.servlet.PageNotFound noHandlerFound
    WARNING: No mapping found for HTTP request with URI [/SpringMVCSecruityMavenApp/${pageContext.request.contextPath}/loginPage] in DispatcherServlet with name ‘dispatcher’

  6. RISHAV says:

    I am trying to implement Spring Security in my existing Spring MVC project . I have designed my flow like when my application first loads then it goes to “Index.jsp” as below:

    @RequestMapping(value =”/” , method = RequestMethod.GET)
    public ModelAndView Index() {
    ModelAndView form = new ModelAndView(“Index”);
    return form;

    And my Index.jsp contains two buttons 1) SignUp and 2) Login . Both this button opens their respective “Modal” on same page . And submits a post request as below :

    @RequestMapping(value = “/login”, method = RequestMethod.POST)
    public ModelAndView Login(@RequestParam Map reqvar) {


    @RequestMapping(value = “/signup”, method = RequestMethod.POST)
    public ModelAndView SignUp(@RequestParam Map reqvar) {

    Now I want to implement Spring Security . How to implement ?? I want some thing that once I submit form from Model for login using {context}/login then Spring should authenticate me for provided userid and password. .
    So what should I write in ” protected void configure(HttpSecurity http) throws Exception {” method ??

    As of now I have written some thing like below , but it is not working :

    public class SpringSecurity extends WebSecurityConfigurerAdapter {
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth)
    throws Exception{

    protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable(); // disabled csrf as of now for simplicity .



  7. shoaib ali says:

    SIr getting this error
    The absolute uri: https://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application

  8. Venkata Reddy says:

    Hi Sir,
    After added correct credentials, getting below error…i have homePage.jsp in place.

    HTTP Status 404 – /SpringMVCSecruityMavenApp/WEB-INF/views/homePage.jsp


    type Status report

    message /SpringMVCSecruityMavenApp/WEB-INF/views/homePage.jsp

    description The requested resource is not available.


    Apache Tomcat/7.0.81


  9. Mel says:

    Hi, Why is it that when after I login I can still access the login page and it doesn’t redirect to the homePage

  10. Pash says:

    Getting 404 error WARNING: No mapping found for HTTP request with URI [/ex/welcome] in DispatcherServlet with name ‘dispatcher’

  11. venkatesh says:

    Excellent tutorial , but we need an exmple how to pass the username and password dynamically from database not static

  12. maheswara says:

    when i submitted login credentials then i got response like

    HTTP Status 403 – Invalid CSRF Token ‘null’ was found on the request parameter ‘_csrf’ or header ‘X-CSRF-TOKEN’.

    how to solve this issue

    1. anhcacem says:

      you must disable csrf feature by http.csrf().disable()

  13. pranjay Kumar says:

    Excellent tutorial Sir , but I need some more explanation of its flow, So that it will be more easy to become more strong in spring !!!!
    I have a bit confusion on loginPage.jsp and LoginController.java.
    In loginPage.jsp the method is mentioned as “POST” but in loginPage() of LoginController.java it mentioned as “GET ”
    So is there any mismatch? Please explain…..


    1. SDJ says:

      If I’m right, LoginController just controls the flow to open up loginPage view, doesn’t have anything to do with authentication. Just loads the view when “/loginPage” is loaded in URL. So it should be GET. The authentication takes place in LoginSecurityConfig. The authentication API configured here should have POST..

      In loginPage.jsp, changing the api name to ‘appLogin’ and adding ‘appLogin’ as login processing url in LoginSecurityConfig did the trick.

      <form name='login' action="” method=’POST’>


      1. SDJ says:

        action should be /appLogin, I guess I missed it in my previous comment

  14. lakshmipriya says:

    Hi , I am getting below error after clicking submit button . i have followed same code which have provided in your blog .
    Can you please correct me if i miss some configuration .

  15. VedVrat says:

    No matter what I try this example doesn’t work AT ALL.
    I keep getting the below error,


    The only difference being in the pom.xml with Eclipse plugin added as below, And oh yes my artifactId is different.





  16. Purushottam says:

    i am facing some problem,pls help me….

    Error 403–Forbidden

    From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:

    10.4.4 403 Forbidden

    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.

  17. piya says:

    Sir can you please provide us source code.

  18. der says:

    org.springframework.web.servlet.PageNotFound handleHttpRequestMethodNotSupported
    ADVERTENCIA: Request method ‘POST’ not supported

    in weblogic 12

    1. Yogesh says:

      Above Same exception me too…. in Tomcat 8.x when i click on login button. but for avoid that exception i modified on “loginPage.jsp” by method=’GET’. then no exception but its calling same login page every time.
      Please anyone can suggest me how can i enter in “HomePage”

  19. prasanna wagh says:

    It is a good article.
    But I am getting this exception.
    HTTP Status 403 – Invalid CSRF Token ‘null’ was found on the request parameter ‘_csrf’ or header ‘X-CSRF-TOKEN’.
    could any one help me to solve this issue?

    1. Jesudasan M says:

      Check your JSP as you have mentioned EL ignored as fasle


      1. Hea says:

        Can you please elaborate, sir? I’m having the same exception too and can’t seem to fix it. Thanks!

        1. Rahul says:

          add it in jsp

  20. marouane says:

    Very helpfull, thankyou
    can you put the link were you explain remenmbre me feature?

  21. Shakib Ahmed says:

    Thanks for your post but is it work for multiple tab authentication?

  22. seyfer says:

    thank you. very helpful especially about logout link and form

  23. sandy says:

    how come the controller methods are get and the form actions are post?

  24. Iroshan says:

    Actually really interesting.
    Thank you very much sir….

  25. Manish says:

    Brilliant, something i was looking for in spring security with spring 4 setup. Thanks a lot. Works like a charm.

  26. M says:

    thank you csrf hidden parameter in the form post helped!

  27. sirireddy says:

    Its showing 404 error.Please help me with ASAP.


    1. Jeffery says:

      actually there’s a misspelling on welcomPage.jsp, missing “e” there.

      1. Rambabu says:

        Thank you so much for good catch. Updated that one.

  28. arbil74 says:

    Muchas gracias. Es el primer tutorial que me ha funcionado a la primera y además lo he entendido. Felicidades.

  29. Raichand Ray says:

    You could follow this link



  30. krishna Arigela says:

    Excellent tutorial , but we need some more in depth explanation , so that we can become more strong in spring !!!!
    Thanks & Regards,
    Krishna Arigela.

  31. Bibhu says:

    Very good tutorial. Im seaching for similar exmple in net for last few days. Thank u so much for your effort. Keep up good work

  32. Yuriy I. says:

    Thank you for this nice example, Rambabu.It works )

  33. Ramu P says:

    Excelent article on Spring4 Security Example. Plz post some advanced examples to demo Spring4 Features.

Comments are closed.

Generic selectors
Exact matches only
Search in title
Search in content