Suggested Steps for Getting Started with Spring Security

1. Deploy the "Tutorial" Sample Application

   This is included in the distribution zip file. It's the file spring-security-samples-tutorial-<version>.war. Rename this to something like tutorial.war (for a simplified URL when deploying it to Tomcat). Drop the war file into the Tomcat webapps directory and then start the server. You should then be able to access the application through the URL http://localhost:8080/tutorial/. This application doesn't actually do a lot but it does give you a template that can be quickly and easily used to integrate Spring Security into your own project. Most of the problems beginners encounter are due to simple configuration errors or classpath issues (the wrong or missing jars in the WEB-INF/lib directory). Always start from a working configuration and build on that.

   Make sure you familiarise yourself with the debug logging output from Spring Security (which should be enabled by default) as you use the application. The framework produces detailed logging, yet many people fail to make use of it. What happens when you first click on a secured link as an unauthenticated user? What happens when you log in, log out and so on. You will see each HTTP request logged as it progresses though the security filter chain and information on how it is handled. So many problems that are reported in the forum could be solved by matching up the web browser requests to their corresponding log entries.

   Estimated time: 30 minutes.

2. Watch a Video

   There are a couple of good video presentations which are linked to from our articles page. You can watch one (or both) of these to get an overview of the framework.

   Estimated time: 1 hour.

3. Follow the Petclinic Tutorial

   This covers how to add Spring Security to the commonly-used Petclinic sample application that ships with Spring, using the tutorial sample content files as an example. This will give you a hands-on approach to integrating Spring Security into your own application.

   Estimated time: 1 hour.

4. Review the Reference Guide

   In particular the namespace chapter of Part I is most relevant to what you have used in the previous two steps. Go through the namespace elements used in the "Tutorial Sample" and understand their main purpose. Experiment with making some modifications to the Petclinic tutorial or the tutorial sample. The remainder of the guide goes into more detail about the framework implementation classes and you can browse it as required.

   Estimated time: 1/2 day.

5. Deploy the Contacts Sample (Optional)

   This sample application will give you a taste of the more advanced features of the framework, particularly the ACL module. The file is spring-security-samples-contacts-<version>.war. It's a standard Spring MVC web application which allows you to log in as a particular user (the users are listed on the login page) and view the "contacts" in a database. Each contact instance has a set of permissions associated with it and the displayed list of contacts will vary depending on the whether the logged-in user has the required permissions. Users with administrative rights for a contact can delete the contact or create or delete permissions for the instance, thus assigning (or revoking) the permissions other users to read, write or administer the contact instance. Security is applied at the method level through the use of annotations on the ContactManager interface.

   Estimated time: 1–2 days.

6. Secure your own application

   By now you will have a good grasp on how Spring Security works, and all that is left to do is design your own application's security implementation. We strongly recommend that you start your actual integration with the "Tutorial Sample", even if you have complex needs. Most people reporting problems on the forums do so because of a configuration problem, as they're trying to make too many changes at once without really knowing what they're doing. Instead, make changes one at a time, starting from the basic configuration provided by the "Tutorial Sample".

   If you've followed the steps above, and refer back to the Reference Guide, Community Forum, and the FAQ for help, you should find it pretty easy to implement Spring Security in your application. Most importantly, you'll be using a security framework that offers you complete container portability, flexibility, and community support – without needing to write and maintain your own code.

   Estimated time: 1-5 days.

Please note the time estimates are just that: estimates. They will vary considerably depending on how much experience you have, particularly with Java and Spring. They will also vary depending on how complex your intended security-enabled application will be. Some people need to push the domain object instance access control list capabilities to the maximum, while others don't even need anything beyond web request security. The good thing is Spring Security will either directly support your future needs, or provide a clearly-defined extension point for addressing them.

We welcome your feedback about how long it has actually taken you to complete each step, so we can update this page and help new users better assess their project timetables in the future. Any other tips on what you found helpful in learning Spring Security are also very welcome.