Java Spring Security

View on Github

Java Spring Security

Gravatar for
By Luciano Balmaceda

This tutorial demonstrates how to add user login to a Java Spring Security web application. We recommend you to Log in to follow this quickstart with examples configured for your account.

I want to explore a sample app

2 minutes

Get a sample configured with your account settings or check it on Github.

View on Github
System requirements: Java 7 and up | Gradle 3.3 and up | Spring Boot 1.5.3 or above

New to Auth? Learn How Auth0 works, how it integrates with Regular Web Applications and which protocol it uses.

Configure Auth0

Get Your Application Keys

When you signed up for Auth0, a new application was created for you, or you could have created a new one.

You will need some details about that application to communicate with Auth0. You can get these details from the Application Settings section in the Auth0 dashboard.

You need the following information:

  • Client ID
  • Domain

If you download the sample from the top of this page these details are filled out for you.

If you have more than one application in your account, the sample comes with the values for your Default App.

App Dashboard

Configure Callback URLs

A callback URL is a URL in your application where Auth0 redirects the user after they have authenticated.

You need to whitelist the callback URL for your app in the Allowed Callback URLs field in your Application Settings. If you do not set any callback URL, your users will see a mismatch error when they log in.

If you are following along with the sample project you downloaded from the top of this page, you should set the Callback URL to http://localhost:3000/callback.

Configure Spring Security to Use Auth0

Setup Dependencies

You'll need to configure Spring Boot in your project first. You can generate the base project in this link, choosing Web in the dependencies and clicking the button "Generate Project". The downloaded project has the Spring Boot dependencies and plugin applied. You then need to add a Server dependency like Tomcat or Gretty, which one is up to you. Check our sample code for more information. The next step is to add the auth0-java-mvc-commons library. This one allows you to use Auth0 with Java for server-side MVC web apps. It generates the Authorize URL that you need to call in order to authenticate and validates the result received on the way back to finally obtain the Auth0 Tokens that identify the user. You can always check the latest version in the library's GitHub.

If you are using Gradle, add it to your build.gradle:

// build.gradle

compile 'com.auth0:mvc-auth-commons:1.+'

If you are using Maven, add it to your pom.xml:



Configure your Java Spring Security App

Your Java Spring Security App needs some information in order to authenticate against your Auth0 account. The samples read this information from the properties file src/main/resources/, but you could store them anywhere else. The required information is:

// src/main/resources/

com.auth0.domain: YOUR_DOMAIN
com.auth0.clientId: YOUR_CLIENT_ID
com.auth0.clientSecret: 'YOUR_CLIENT_SECRET'

The library we're using has this default behavior:

  • Request the scope openid, needed to call the /userinfo endpoint later to verify the User's identity.
  • Request the code Response Type and later perform a Code Exchange to obtain the tokens.
  • Use the HS256 Algorithm along with the Client Secret to verify the tokens.

But it also allows us to customize its behavior:

  • To use the RS256 Algorithm along with the Public Key obtained dynamically from the Auth0 hosted JWKs file, pass a JwkProvider instance to the AuthenticationController builder.
  • To use a different Response Type, set the desired value in the AuthenticationController builder. Any combination of code token id_token is allowed.
  • To request a different scope, set the desired value in the AuthorizeUrl received after calling AuthenticationController#buildAuthorizeUrl().
  • To specify the audience, set the desired value in the AuthorizeUrl received after calling AuthenticationController#buildAuthorizeUrl().

Check populated attributes

If you download the seed using our Download Sample button then the domain, clientId and clientSecret attributes will be populated for you, unless you are not logged in or you do not have at least one registered application. In any case, you should verify that the values are correct if you have multiple applications in your account and you might want to use another than the one we set the information for.

Project Structure

The Login project sample has the following structure:

- src
-- main
---- java
------ com
-------- auth0
---------- example
------------ mvc
------------ security
---- resources
---- webapp
------ WEB-INF
-------- jsp
---------- home.jsp
- build.gradle

The project contains a single JSP: the home.jsp which will display the user information associated to the token after a successful login and provide the option to logout.

The access control is handled by the Spring Security framework. A few rules in the class will suffice to check for existing tokens before giving the user access to our protected /portal/* path. If the tokens don't exist, the request will be redirected by the ErrorController to the LoginController.

The project contains also five Controllers:

  • Invoked when the user attempts to login. The controller uses the client_id and domain parameters to create a valid Authorize URL and redirects the user there.
  • The controller captures requests to our Callback URL and processes the data to obtain the credentials. After a successful login, the credentials are then saved to the request's HttpSession.
  • The controller reads the previously saved tokens and shows them on the home.jsp resource.
  • Invoked when the user clicks the logout link. The controller invalidates the user session and redirects the user to the login page, handled by the LoginController.
  • The controller triggers upon any non-handled exception and redirects the user to the /login path.

Trigger Authentication

Let's begin by making your Auth0 credentials available on the App. In the AppConfig class we tell Spring to map the properties defined in the file to the corresponding fields by using the @Configuration and @Value annotations.

// src/main/java/com/auth0/example/security/

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AppConfig extends WebSecurityConfigurerAdapter {

    @Value(value = "${com.auth0.domain}")
    private String domain;
    @Value(value = "${com.auth0.clientId}")
    private String clientId;
    @Value(value = "${com.auth0.clientSecret}")
    private String clientSecret;


Next, define the rules that will prevent unauthenticated users to access our protected resources. You do that by allowing anyone to access the /login and /callback endpoints in order to be able to complete the login flow, and blocking them from accessing any other endpoint if they are not authenticated:

// src/main/java/com/auth0/example/security/

protected void configure(HttpSecurity http) throws Exception {
            .antMatchers("/callback", "/login").permitAll()

Now create the AuthenticationController instance that will create the Authorize URLs and handle the request received in the callback. Do that by defining a method that returns the Bean in the same AppConfig class. Any customization on the behavior of the component should be done here, such as requesting a different response type or using a different signature verification algorithm.

// src/main/java/com/auth0/example/security/

public AuthenticationController authenticationController() throws UnsupportedEncodingException {
    return AuthenticationController.newBuilder(domain, clientId, clientSecret)

To authenticate the users you will redirect them to the login page which uses Lock. This page is accessible from what we call the "Authorize URL". By using this library you can generate it with a simple method call. It will require a HttpServletRequest to store the call context in the session and the URI to redirect the authentication result to. This URI is normally the address where your app is running plus the path where the result will be parsed, which happens to be also the "Callback URL" whitelisted before. Finally, request the "User Info" audience in order to obtain an Open ID Connect compliant response. After you create the Authorize URL, you redirect the request there so the user can enter their credentials. The following code snippet is located on the LoginController class of our sample.

// src/main/java/com/auth0/example/mvc/

@RequestMapping(value = "/login", method = RequestMethod.GET)
protected String login(final HttpServletRequest req) {
    String redirectUri = req.getScheme() + "://" + req.getServerName() + ":" + req.getServerPort() + "/callback";
    String authorizeUrl = controller.buildAuthorizeUrl(req, redirectUri)
        .withAudience(String.format("https://%s/userinfo", appConfig.getDomain()))
    return "redirect:" + authorizeUrl;

After the user logs in the result will be received in our CallbackController, either via a GET or a POST Http method. The request holds the call context that the library have previously set by generating the Authorize URL with the controller. When you pass it to the controller, you get back either a valid Tokens instance or an Exception indicating what went wrong. In the case of a successful call, you need to create a new TokenAuthentication instance with the ID Token and set it to the SecurityContextHolder. You can modify this class to accept an Access Token as well, but this is not covered in this tutorial. If an exception is raised instead, you need to clear any existing Authentication from the SecurityContextHolder.

// src/main/java/com/auth0/example/mvc/

@RequestMapping(value = "/callback", method = RequestMethod.GET)
protected void getCallback(final HttpServletRequest req, final HttpServletResponse res) throws ServletException, IOException {
  try {
      Tokens tokens = controller.handle(req);
      TokenAuthentication tokenAuth = new TokenAuthentication(JWT.decode(tokens.getIdToken()));
  } catch (AuthenticationException | IdentityVerificationException e) {

Display the Home Page

Now that the user is authenticated (the tokens exists), the framework will allow them to access our protected resources. In the HomeController you can get the existing Authentication object and even the Principal that represents it. Let's set that as the userId attribute so it can be used from the JSP code:

// src/main/java/com/auth0/example/mvc/

@RequestMapping(value = "/portal/home", method = RequestMethod.GET)
protected String home(final Map<String, Object> model, final Principal principal) {
    if (principal == null) {
        return "redirect:/logout";
    model.put("userId", principal);
    return "home";

Run the Sample

To run the sample from a terminal, change the directory to the root folder of the project and execute the following line:

./gradlew clean bootRun

After a few seconds, the application will be accessible on http://localhost:3000/. Try to access the protected resource http://localhost:3000/portal/home and note how you're redirected by the framework to the login page. The widget displays all the social and database connections that you have defined for this application in the dashboard.

Login using Lock

After a successful authentication you'll be able to see the home page contents.

Display Token

Log out by clicking the Logout button at the top right of the home page.

Use Auth0 for FREE