diff --git a/spring-security-login-and-registration/pom.xml b/spring-security-login-and-registration/pom.xml
index 24f0b374cc..2fad0252a3 100644
--- a/spring-security-login-and-registration/pom.xml
+++ b/spring-security-login-and-registration/pom.xml
@@ -54,17 +54,17 @@
         </dependency>
         
         <dependency>
-			<groupId>org.springframework</groupId>
-			<artifactId>spring-test</artifactId>
-			<scope>test</scope>
-		</dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-test</artifactId>
+            <scope>test</scope>
+        </dependency>
 
         <!-- Password Validation -->
         <dependency>
-		    <groupId>org.passay</groupId>
-		    <artifactId>passay</artifactId>
-		    <version>1.0</version>
-		</dependency>
+            <groupId>org.passay</groupId>
+            <artifactId>passay</artifactId>
+            <version>1.0</version>
+        </dependency>
         
         
         <!-- Spring Data JPA dependencies -->
@@ -137,6 +137,19 @@
             <scope>test</scope>
         </dependency>
 
+        <dependency>
+            <groupId>com.jayway.restassured</groupId>
+            <artifactId>rest-assured</artifactId>
+            <version>2.4.0</version>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <artifactId>commons-logging</artifactId>
+                    <groupId>commons-logging</groupId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
     </dependencies>
 
     <build>
@@ -189,4 +202,4 @@
         <guava.version>18.0</guava.version>
 
     </properties>
-</project>
+</project>
\ No newline at end of file
diff --git a/spring-security-login-and-registration/src/main/java/org/baeldung/web/controller/RegistrationController.java b/spring-security-login-and-registration/src/main/java/org/baeldung/web/controller/RegistrationController.java
index ab8d3feb66..f3520d052f 100644
--- a/spring-security-login-and-registration/src/main/java/org/baeldung/web/controller/RegistrationController.java
+++ b/spring-security-login-and-registration/src/main/java/org/baeldung/web/controller/RegistrationController.java
@@ -171,6 +171,7 @@ public class RegistrationController {
     // change user password
 
     @RequestMapping(value = "/user/updatePassword", method = RequestMethod.POST)
+    @PreAuthorize("hasRole('READ_PRIVILEGE')")
     @ResponseBody
     public GenericResponse changeUserPassword(final Locale locale, @RequestParam("password") final String password, @RequestParam("oldpassword") final String oldPassword) {
         final User user = userService.findUserByEmail(SecurityContextHolder.getContext().getAuthentication().getName());
diff --git a/spring-security-login-and-registration/src/main/webapp/WEB-INF/view/changePassword.jsp b/spring-security-login-and-registration/src/main/webapp/WEB-INF/view/changePassword.jsp
index 21f4e52c23..dd4a28df66 100644
--- a/spring-security-login-and-registration/src/main/webapp/WEB-INF/view/changePassword.jsp
+++ b/spring-security-login-and-registration/src/main/webapp/WEB-INF/view/changePassword.jsp
@@ -13,6 +13,7 @@
 <title><spring:message code="message.changePassword"></spring:message></title>
 </head>
 <body>
+<sec:authorize access="hasRole('READ_PRIVILEGE')">
 <nav class="navbar navbar-default">
   <div class="container-fluid">
     <div class="navbar-header">
@@ -66,7 +67,8 @@ function savePass(){
     	$("#errormsg").show().html(data.responseJSON.message);
     });
 }
-</script>    
+</script>  
+</sec:authorize>  
 </body>
 
 </html>
\ No newline at end of file
diff --git a/spring-security-login-and-registration/src/test/java/org/baeldung/spring/ConfigTest.java b/spring-security-login-and-registration/src/test/java/org/baeldung/spring/ConfigTest.java
new file mode 100644
index 0000000000..537769202d
--- /dev/null
+++ b/spring-security-login-and-registration/src/test/java/org/baeldung/spring/ConfigTest.java
@@ -0,0 +1,23 @@
+package org.baeldung.spring;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+
+@Configuration
+// @ComponentScan("org.baeldung.test")
+public class ConfigTest extends WebMvcConfigurerAdapter {
+
+    public ConfigTest() {
+        super();
+    }
+
+    // API
+    @Bean
+    public PasswordEncoder encoder() {
+        return new BCryptPasswordEncoder(11);
+    }
+
+}
\ No newline at end of file
diff --git a/spring-security-login-and-registration/src/test/java/org/baeldung/test/RegistrationAPIChangePasswordTest.java b/spring-security-login-and-registration/src/test/java/org/baeldung/test/RegistrationAPIChangePasswordTest.java
new file mode 100644
index 0000000000..93909d9ef7
--- /dev/null
+++ b/spring-security-login-and-registration/src/test/java/org/baeldung/test/RegistrationAPIChangePasswordTest.java
@@ -0,0 +1,102 @@
+package org.baeldung.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.baeldung.persistence.dao.UserRepository;
+import org.baeldung.persistence.model.User;
+import org.baeldung.spring.ConfigTest;
+import org.baeldung.spring.PersistenceJPAConfig;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.support.AnnotationConfigContextLoader;
+
+import com.jayway.restassured.RestAssured;
+import com.jayway.restassured.authentication.FormAuthConfig;
+import com.jayway.restassured.response.Response;
+import com.jayway.restassured.specification.RequestSpecification;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration(classes = { ConfigTest.class, PersistenceJPAConfig.class }, loader = AnnotationConfigContextLoader.class)
+@ActiveProfiles("test")
+public class RegistrationAPIChangePasswordTest {
+
+    @Autowired
+    private UserRepository userRepository;
+
+    @Autowired
+    private PasswordEncoder passwordEncoder;
+
+    private final String URL_PREFIX = "http://localhost:8080/spring-security-login-and-registration";
+
+    private final String URL = URL_PREFIX + "/user/updatePassword";
+
+    FormAuthConfig formConfig = new FormAuthConfig(URL_PREFIX + "/j_spring_security_check", "j_username", "j_password");
+
+    @Before
+    public void init() {
+        User user = userRepository.findByEmail("test@test.com");
+        if (user == null) {
+            user = new User();
+            user.setFirstName("Test");
+            user.setLastName("Test");
+            user.setPassword(passwordEncoder.encode("test"));
+            user.setEmail("test@test.com");
+            user.setEnabled(true);
+            userRepository.save(user);
+        } else {
+            user.setPassword(passwordEncoder.encode("test"));
+            userRepository.save(user);
+        }
+    }
+
+    @Test
+    public void givenLoggedInUser_whenChangingPassword_thenCorrect() {
+        final RequestSpecification request = RestAssured.given().auth().form("test@test.com", "test", formConfig);
+
+        final Map<String, String> params = new HashMap<String, String>();
+        params.put("oldpassword", "test");
+        params.put("password", "newtest");
+
+        final Response response = request.with().params(params).post(URL);
+
+        assertEquals(200, response.statusCode());
+        assertTrue(response.body().asString().contains("Password updated successfully"));
+    }
+
+    @Test
+    public void givenWrongOldPassword_whenChangingPassword_thenBadRequest() {
+        final RequestSpecification request = RestAssured.given().auth().form("test@test.com", "test", formConfig);
+
+        final Map<String, String> params = new HashMap<String, String>();
+        params.put("oldpassword", "abc");
+        params.put("password", "newtest");
+
+        final Response response = request.with().params(params).post(URL);
+
+        assertEquals(400, response.statusCode());
+        assertTrue(response.body().asString().contains("Invalid Old Password"));
+    }
+
+    @Test
+    public void givenNotAuthenticatedUser_whenChangingPassword_thenRedirect() {
+        final Map<String, String> params = new HashMap<String, String>();
+        params.put("oldpassword", "abc");
+        params.put("password", "xyz");
+
+        final Response response = RestAssured.with().params(params).post(URL);
+
+        assertEquals(302, response.statusCode());
+        assertFalse(response.body().asString().contains("Password updated successfully"));
+    }
+}