DEV Community: Sri

Spring Security

Sri — Tue, 19 May 2026 13:01:09 +0000

Spring security provides authentication an authorisation.
Spring Security is a security framework for Java and Spring Boot applications.

It provides:

Authentication → verifying user identity
Authorization → controlling access
Session management
Password encryption
CSRF protection
JWT/OAuth2 support
Spring security will be enabled after adding below XML defintions in POM.xml.

org.springframework.boot
spring-boot-starter-security

org.springframework.boot
spring-boot-starter-security-test
test

Spring security filters almost all pages except the pages which is marked to permit and gives login page.

Type 1:
Passwor will be automatically generate in devleoper tool console and user will be user.
This password will be changedd on each application bootup.
Flow :

http://localhost:8080/First/add/6/8
when the user clicks this link, instead of displaying output a login page will be shown, this is prewritten and plugged in using xml definition. the actual output of addition will be displayed after authentication.
Type:2
Adding our own username and password in application properties.
spring.security.user.name=admin
spring.security.user.password=generate
Now application will not generate password but a login page will be shown on clicking the addition endpoint.
User has to enter correct username and password mentioned in application.properties. After authenticating him, he will be redirected to the output page,else error with status code 403 will be displayed
Type3:
Adding multiple users.
we cannot add all users in property file. Though property file will not accept adding duplicate properties, in real time we will be having huge data and adding in property or convincing it to accept is not an idea.

So we can achieve this multiple user concept in spring security using UserDetailsManager Interface. Its implementation class is InMemoryUserDetailsManager.
This accepts a list with userDetails objects.
UserDetails is a static method with methods to add username,password,roles etc.

Here is the code snippet:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@bean
public UserDetailsManager createUserDetailsManager(){

UserDetails user1= User.withUsername("Sri").password("{noop}generate").roles("admin").build();
UserDetails user2=User.withUsername("Desigan").password("{noop}generate").roles("user").build();
// Add users to the UserDetailsManager
List l = Arrays.asList(user1, user2);
UserDetailsManager userDetailsManager = new InMemoryUserDetailsManager(l);
return userDetailsManager;
}

Authorisation:
It works based on user privilages.
User with admin access can see all pages.
User with read access can view pages but he cannot make any changes.
we can set these privilages in security config class.

@bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

    http
       // Disable CSRF (useful for REST APIs)
            .csrf(csrf -> csrf.disable())

       // Authorization rules
 .authorizeHttpRequests(auth -> auth
 .requestMatchers("/calc/add/**").permitAll()   // No auth required
 .requestMatchers("/calc/sub/**").hasRole("USER")
 .requestMatchers("/calc/mul/**").hasRole("ADMIN")
 .requestMatchers("/calc/div/**").hasRole("ADMIN")
 .anyRequest().authenticated()
            )
 .formLogin(Customizer.withDefaults());

    return http.build();
}

In above snippet ".permitAll()" allows the user to view endpoint without any authentication.
For all the requestMatchers("/div/").hasRole("user") -> user with User role will be able to view this page.
**Option 2: JDBCUserDetialsManager.
It is nothing but communicating with database to perform login.
It has four steps, 1. collect data from UI 2. Request Database for UserDetails using loadByUserName(username) method from UserDetailService interface.

compare data from UI with data from DB
Provide success or failure login based on the results from above step. To achieve this we need load data into DB first, This is what we call as "SIGNUP". Im going to write an endpoint and send a request from POSTMan and load data into Database. This request again pass through Spring security firewall check. To allow our request to endpoint we can request spring security to permit our endpoint URL by adding below line.

public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

http.csrf(csrf -> csrf.disable())

            .authorizeHttpRequests(auth -> auth
             .requestMatchers("/", "/error").permitAll()
             .requestMatchers("/First/signUp/**").permitAll()
             .anyRequest().authenticated())
            .formLogin(Customizer.withDefaults());
           // .httpBasic(Customizer.withDefaults());

    return http.build();
}

Controller:
@RequestMapping("/signUp")
////@ResponseBody
public ResponseEntity processUserSignUp(@RequestBody User user ){
log.info("inside LearningFrontController.getmultiplyService");
response=calculatorService.processUserSignUp(user);
log.info(response);
if(response.equalsIgnoreCase("success")){
return ResponseEntity.status(200).body(response);
}
log.info("exiting LearningFrontController.getmultiplyService");
return ResponseEntity.status(400).body("Signup failed");
}
Service:
public String processUserSignUp(User user){
String response="failed";
UserDetailsEntity userDetailsEntity = new UserDetailsEntity();
userDetailsEntity.setUserName(user.getUserName());
String maskedPassword=passwordEncoder.encode(user.getPassword());
userDetailsEntity.setMaskedPassword(maskedPassword);
userDetailsEntity.setUserRole(user.getRoles());
UserDetailsEntity userDetailsEntity1= customUserDetailsRepo.save(userDetailsEntity);
if(userDetailsEntity1!=null) {
return "success";
}
return response;
}
JSON:

{
"userName":"Sri",
"Password":"generate",
"roles":"User"
}
What we have in table?
UserNo PAssword userName Role
202 $2a$10$PtbhgrteGOLk0azcyGK1x SriKamini USER
203 $2a$10$WcefaBSrdqTIqLLOAh3XNep Sri USER

Spring Annotations Part2

Sri — Thu, 16 Apr 2026 18:37:49 +0000

@Restcontrolleradvice **
A convenience annotation that combines @ControllerAdvice and @ResponseBody. It is designed for RESTful APIs where the return value of an exception handler is automatically serialized into the response body (typically as JSON or XML) instead of being resolved as a view.
**@ExceptionHandler
We can use @ExceptionHandler to annotate methods that Spring automatically invokes when the given exception occurs. We can specify the exception either with the annotation or by declaring it as a method parameter, which allows us to read out details from the exception object to handle it correctly. The method itself is handled as a Controller method.
EX:
@RestControllerAdvice
public class ExceptionController {
@ExceptionHandler(NullPointerException.class)
public String hanleNullPointerException(NullPointerException ex){
return "Error: "+ex.getMessage();
}

@ExceptionHandler(MethodArgumentNotValidException.class)
public String hanleIllegalArgumentException(MethodArgumentNotValidException ex){
    return "Error: "+ex.getMessage();
}

}
@valid:
It informs controller about the presence of @ExceptionHandler.
When an exception occurs,Spring container redirects the flow to corresponding Exception handler method
@PostMapping("/SaveBookDetails")
public String SaveBookDetails(@RequestBody @valid BookDetails bookDetails) {
log.info("entering ProcessBookDetailsController");
String ValueFromService=bookService.SaveBookDetails(bookDetails);
log.info("leaving ProcessBookDetailsController");
return ValueFromService;
}

To Enable validations in coding we have Spring Boot validation dependency.
For Spring Boot applications, the standard dependency for enabling Bean Validation is spring-boot-starter-validation. This starter provides the Jakarta Bean Validation API and Hibernate Validator as the default implementation.
Enabling Validation: Once the dependency is added, you must use annotations such as @valid or @Validated on your controller method parameters (e.g., @RequestBody) to trigger the validation process.
Standard Annotations: The dependency supports standard JSR-380 annotations including @NotNull, @notblank, @Size, @min, @max, and @Email.
Historical Note: Starting with Spring Boot 2.3, the validation starter is no longer included by default in spring-boot-starter-web or spring-boot-starter-webflux. You must add it explicitly to your project.
Error Handling: When validation fails, Spring Boot typically throws a MethodArgumentNotValidException, which can be captured using a Global Exception Handler with @ControllerAdvice.

pom.xml
Dependency Configurations

org.springframework.boot
spring-boot-starter-validation

org.springframework.boot
spring-boot-starter-validation-test
test

Code:
package LiBrary;

import jakarta.validation.constraints.*;

public class BookDetails {
@NotEmpty

String bookName;

@NotNull
@Positive
@Min(0)
@Max(50)
int bookId;
double price;

@NotBlank
@NotEmpty
String authorName;
String Genre;
@Email
String email;

public String getEmail() {
    return email;
}

public void setEmail(String email) {
    this.email = email;
}

public double getPrice() {
    return price;
}

public void setPrice(double price) {
    this.price = price;
}

public String getBookName() {
    return bookName;
}

public void setBookName(String bookName) {
    this.bookName = bookName;
}

public int getBookId() {
    return bookId;
}

public void setBookId(int bookId) {
    this.bookId = bookId;
}

public String getGenre() {
    return Genre;
}

public void setGenre(String genre) {
    Genre = genre;
}

public String getAuthorName() {
    return authorName;
}

public void setAuthorName(String authorName) {
    this.authorName = authorName;
}

}
Setting default error message for valid annotations:
@NotEmpty(message="bookname cannot be blank")
String bookName;

@NotNull(message="Book id cannot be null")
@Positive(message="Book Id must be +ve")
@Min(0)
@Max(50)
int bookId;
double price;

@NotBlank(message="author name cannot be blank")
@NotEmpty(message="author name cannot be empty")
String authorName;
String Genre;
@Email(message="Not a valid email address")
String email;

error message:
arguments [org.springframework.context.support.DefaultMessageSourceResolvable: codes [bookDetails.bookId,bookId]; arguments []; default message [bookId]]; default message [Book Id must be +ve]] [Field error in object 'bookDetails' on field 'authorName': rejected value [ ]; codes [NotBlank.bookDetails.authorName,NotBlank.authorName,NotBlank.java.lang.String,NotBlank]; arguments [org.springframework.context.support.DefaultMessageSourceResolvable:

ResponseEntity:
ResponseEntity is a class in the Spring Framework used to represent the entire HTTP response. Unlike simply returning an object, it allows developers to fully configure the status code, headers, and response body sent back to the client.
It can be any objectlike List, Map or user define class

1.public class ResponseEntity extends HttpEntity

Extension of HttpEntity that adds an HttpStatusCode status code. Used in RestTemplate as well as in @Controller methods. 3.In RestTemplate, this class is returned by getForEntity() and exchange(): Snippet 1: ResponseEntity entity = template.getForEntity("https://example.com", String.class); String body = entity.getBody(); MediaType contentType = entity.getHeaders().getContentType(); HttpStatus statusCode = entity.getStatusCode(); Snippet 2 public ResponseEntity hanleIllegalArgumentException(MethodArgumentNotValidException ex){ Map errors=new HashMap(); //Code Snippet 1 - displays only key error message ex.getBindingResult().getFieldErrors().forEach(Error->{ errors.put(Error.getField(),Error.getDefaultMessage()); }); return new ResponseEntity("validation error "+errors , HttpStatusCode.valueOf(400)); //Code Snippet 2 - displays all error with vast data // return new ResponseEntity("validation error "+ex.getMessage() , HttpStatusCode.valueOf(400)); } output: validation error {authorName=author name cannot be blank, bookName=bookname cannot be blank, email=Not a valid email address, bookId=must be less than or equal to 50}

In above snippet we returned a map. we can also return a class
References:

SpringBoot Basic Annotations and Logging

Sri — Thu, 09 Apr 2026 12:49:38 +0000

Today we learned to create a spring project in Spring initializer.
Here we learnt metadata is data about data, some of metadata in maven is artifact,groupid and version.
we also learned about maven project structure and adding spring web dependency. Spring web gives tomcat automatically, whereas in eclipse we as a programmer explicitly add apache tomcat server and bring it up. spring web helps to withhold tomcat server and container takes care of bringing the server up. it helps developer to concentrate on business log instead of working in bringing the server up. Its a great feature of spring boot.

Exploring logs:
application.properties

server.port = 8080 //port in which localhost will be accessed
logging.level.root=INFO //logger prints all abstract information into the console.
logging.level.root=DEBUG // It prints all debug informations.errors.and INFO into the console.
logging.level.root=TRACE// It prints fine-grained logic flow. 5.logging.level.com.spring.LearningDemo = DEBUG //If we want to print only our package logs, we can do it. 6.If we want to have a external logging file in local disk we use below code in application.properties. logging.file.name = myapp.log logging.file.path="/E:Spring projects/LearningDemo"
In production we use logging.level.root=INFO to avoid unneccesary loggings. we use DEBUG only when we want identify a bug.

context pat is the base URL of app. here http://localhost:8080/index.

Annotations:
@Controller
Container idetifies the mentioned class as container using this annotation.

@Controller
public class LearningFrontController {

public String getResponseFromLearningFrontController(){
return "Welcome to SpringBootFrontController";
}
}
In core Java programmer has to initialise an object to call any method from one class to another. whereas in spring and spring boot container takes of creating instances, programmer can concentrate on the business logic.
A project can have any no of controllers, we can differentiate them using requestmapping annotaion.
@Controller
@RequestMapping("First")
public class LearningFrontController {
private static final Logger log= LoggerFactory.getLogger(LearningFrontController.class);

public String getResponseFromLearningFrontController(){
log.info("LearningFrontController started");
log.debug("Debug:LearningFrontController started");
log.debug("Debug:LearningFrontController completed");
return "Welcome to SpringBootFrontController";
}

}

similarly a single container can have any no of methods so we exlplicitly differentiate the method using @RequestMapping("/add")

@RequestMapping("/add/{a}/{b}")
@ResponseBody
public String getAddResponseFromLearningFrontController(@PathVariable int a,@PathVariable int b){
log.info("LearningFrontController started");
log.debug("Debug:LearningFrontController started");
int c=a+b;
log.debug("Debug:LearningFrontController completed");
log.debug("Debug:LearningFrontController completed");
return "Addition is "+c;
}
This method usually returns the view name and view resolver returns it to the client but when we want to return a value and inform the container to print the returned value as content of the page, we use "@ResponseBody"
@RequestMapping("/Login/{username}/{password}")
//@ResponseBody
public String Login(@PathVariable String username,@PathVariable String password)
{
log.debug("Debug:welcomeUser started");
String name1 =username;
log.debug("Debug:welcomeUser completed");
return "welcome "+username;

@RestController
Combination of both Responsebody and controller.
when all methods in the container uses response body, then we can mention one annotation at the top of the controller.
@RestController
@RequestMapping("/second")
public class LearningFrontREquestController {
private static final Logger log= LoggerFactory.getLogger(com.learning.LearningDemo.LearningFrontController.class);

    public String getResponseFromLearningFrontController(){
        log.info("LearningFrontController started");
        log.debug("Debug:LearningFrontRequstController started");
        log.debug("Debug:LearningFrontrequstController completed");
        return "Welcome to SpringBootFrontController";
    }

Difference between Pathvariable and RequestPAram
@PathVariable
1.user is sending input to the method in URL.

Service will fetch this input from the url and handles in method when @Pathvariable is mentioned.
URL format is http:/localhost::8080/firstControllerNameMappe/CallingMethoMap/{input1}/{input2}
Its param are unique value like userid
It can take only 20 arguments & It cannot take null values. if values are not sent in URL,it will throw 404 error.

6.Using java.util.Optional: You can wrap the parameter in an Optional type (e.g., Optional id). If the path variable is missing from the URI, the value will be Optional.empty() rather than null.
7.Handling with a Map: You can use a Map to capture all path variables. If a specific key is missing, its value in the map will be null.
8.Using pathVariableOrNull (WebFlux): For applications using Spring WebFlux, the ServerRequest interface provides a pathVariableOrNull() helper method to handle missing variables gracefully.

_@RequestParam
_1. Service will receive inputs from URL & URL is in below format
http://localhost:8080/firstControllerNameMappe/CallingMethoMap?input1=6&input2=9

Request can have any no of arguments & it wont represent unique id
it usually fetches a lengthy data ex:getting all the students name starting in K. It obviusly returns n no of data
It wont take empty arguments

@RequestBody
when the input is in JSON format. we use RequestBody.
JAckson library helps to convet JSON to object inside spring boot application and it also converts the object to JSON and send it back to POSTMAN.

@RequestMapping("/divide")
//@ResponseBody
public Student getDivideService(@RequestBody Student student){
log.info("inside LearningFrontController.getSubtractService");
int a=student.getFirstValue();
int b=student.getSecondValue();
log.info("a "+a +"b "+b);
if((a!=0)&&(b!=0)) {
double divided = learningDemoService.divitionService(a, b);
student.setDivided(divided);
}
student.setName(student.getName().toUpperCase().trim());
log.info(response);
log.info("exiting LearningFrontController.getSubtractService");
return student;
}
}

Object creation:
In java:
To have interaction between classes we will create object using new keyword.
Student object=new Student();

In Spring framework.
we will declare in XML

In spring boot we have two annotations

Component
Bean Component:
It is declared in class level. If @Comparable is mentioned on top of class, An object will be create on compile time.
Auto-detected via classpath scanning.
Limited; uses Spring's default instantiation.
Has specialized forms: @Service, @Repository, @Controller,@Configuration.
@Component is an interface

Bean:

It is declared in Method Level. It is declared in class which has @Configuration annotation on top of it.
All classe with @Configuration annotation is loaded and all the methods,construtors are loaded and all objects mentioned in the constructors are created.
It can be done in three ways setter injection, field injection, constructor injection. Field injection is not advisable.
programmer can have full control over the class.
we can create object for third party classes using Bean even library files. Snippet 1 @bean(initMethod = "init", destroyMethod = "cleanup") public MyService myService() { return new MyService(); } Ex import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration;

@Configuration
public class Config {
private static final Logger log= LoggerFactory.getLogger(Config.class);
@bean
Student getStudent(){
log.info("inside student Bean creation config ");
return new Student();
}

}

How it works internally
Application starts:
SpringApplication.run(MyApp.class, args);
Spring Boot:

Scans classes (@ComponentScan)
Reads config (@Configuration)
Applies auto-config (@EnableAutoConfiguration)
Beans are created and stored in:
👉 ApplicationContext (Spring Container

@PostConstruct:
we use postconstruct when we want to add values to an object immediately after initialisation.
When it runs
After the bean is created and dependencies are injected
✅ Purpose
Initialization logic
Setting default values
Opening resources
@PostConstruct
public void init(){
log.info("init method called");
studentFromBeanConfig.setName("Karthi");
studentFromBeanConfig.setLoginStatus(true);
}

@PreDestroy
It is used to delete values before destroying the same object.
@PreDestroy
public void preDestroy(){
System.out.println("Values are destroyed");
}
Lifecycle of Bean :
Bean Created → @PostConstruct → Bean in Use → @PreDestroy → Bean Destroyed

Important Points for PreDestroy
_Method must be:
_

public
void
No arguments
Works only for singleton beans by default
Triggered when: Application stops Context is closed.

@primary & @Qualifier
In Spring and Spring Boot, both @primary and @Qualifier are used to resolve autowiring ambiguity when multiple beans of the same type exist in the application context.
Primary Annotation:

The @primary annotation in Spring is used to designate a primary bean among multiple beans of the same type. When a primary bean is defined using @primary, it is preferred for injection when no specific bean name or qualifier is provided.
this is a class level annotation
Qualifier Annotation:
On the other hand, the @Qualifier annotation is used to specify the exact bean to be injected when multiple beans of the same type are present. It works in conjunction with bean names or custom qualifiers to resolve ambiguity and specify the desired bean for injection.
Example:
@RestController
@RequestMapping("student")
public class StudentPrimaryAndQualiferService {
@Autowired
@Qualifier("JavaCoursestuent")
StudentInterface studentInterface;

@RequestMapping("/getStudentInferface")
public String getStudentInterface(){
return "Name: "+studentInterface.getName()+ "Roll No :" +studentInterface.getRollNo();
}
}

package LearningBeanConfig;

import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;

@Component
@primary
public class SchoolStudent implements StudentInterface{
@override
public String getName() {
return "SchoolStudent";
}

@Override
public String getRollNo() {
    return "DAV-11";
}

}

package LearningBeanConfig;

import com.Learning.LearningDemo.LearningDemoApplication;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

@Component(value="JavaCoursestuent")
public class JavaCourseStu implements StudentInterface {
private static final Logger log = LoggerFactory.getLogger(JavaCourseStu.class);

@Override
public String getName() {
    log.info("JavaCoursestuent.getNAme starts");
    return "Java Course StudentInterface ";
}

@Override
public String getRollNo() {
    log.info("JavaCoursestuent.getRollNo starts");
    return "RollNo1";
}

}