== Securing the application Before securing your application, it is important to ensure that the existing application works as we did in <>. Now that the application runs without security, we are ready to add security to our application. This section demonstrates the minimal steps to add Spring Security to a Spring MVC application. === Updating your dependencies You will need to ensure you have added the dependencies. Spring Security milestones and release canidates are available in the https://github.com/SpringSource/spring-framework/wiki/SpringSource-repository-FAQ[Spring Milestone Repository]. In short, if you are using Maven and using a milestone or release canidate ensure you have the following repository in your pom.xml: .pom.xml [source,xml] ---- spring-libs-milestone Spring Milestone Repository http://repo.springsource.org/milestone ---- You will then need to include the Spring Security dependencies .pom.xml [source,xml] [subs="verbatim,attributes"] ---- org.springframework.security spring-security-web {spring-security-version} org.springframework.security spring-security-config {spring-security-version} ---- After you have completed this, you need to ensure that STS knows about the updated dependencies by: * Right click on the _spring-security-samples-{starter-appname}_ application * Select *Maven->Update project...* * Ensure the project is selected, and click *OK* === Creating your Spring Security configuration The next step is to create a Spring Security configuration. * Right click the _spring-security-samples-{starter-appname}_ project the Package Explorer view * Select *New->Class* * Enter _org.springframework.security.samples.config_ for the *Package* * Enter _SecurityConfig_ for the *Name* * Click *Finish* * Replace the file with the following contents: [[security-config-java]] .src/main/java/org/springframework/security/samples/config/SecurityConfig.java [source,java] ---- package org.springframework.security.samples.config; import org.springframework.context.annotation.*; import org.springframework.security.config.annotation.authentication.builders.*; import org.springframework.security.config.annotation.web.configuration.*; @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } } ---- [[servlet-api-integration]] The <> will: * Require authentication to every URL in your application * Generate a login form for you * Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication * Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with HTTP basic authentication * Allow the user to logout * Integrate with the following Servlet API methods ** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()] ** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()] ** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)] ** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)] ** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]