Getting Started with Spring Security

In this chapter, we'll apply a minimal Spring Security configuration to start addressing our first finding—inadvertent privilege escalation due to a lack of URL protection, and general authentication from the security audit discussed in Chapter 1, Anatomy of an Unsafe Application. We will then build on the basic configuration to provide a customized experience for our users. This chapter is intended to get you up and running with Spring Security and to provide a foundation for any other security-related tasks you will need to perform.

During the course of this chapter, we will cover the following topics:

• Implementing a basic level of security on the JBCP calendar application, using the automatic configuration option in Spring Security
• Learning how to customize both the login and logout experience
• Configuring Spring Security to restrict access differently, depending on the URL
• Leveraging the expression-based access controls of Spring Security
• Conditionally displaying basic information about the logged-in user using the JSP library in Spring Security
• Determining the user's default location after login, based on their role