Spring Boot + Spring MVC + Spring Security + MySQL

The code has been updated to support Spring Boot 2.0 and resolve minor/major issues (September 7, 2018).

GitHub / Code

This tutorial will show you how to implement a Login process using the following tech stack:

  • Spring Boot(2.0.4)
  • Spring Security
  • Spring MVC
  • JPA
  • Thymeleaf
  • Lombok
  • MySQL
  • Bootstrap (UI Presentation)
  • Maven
  • Eclipse / IntelliJ
  • Java 8
  • Packaging (JAR)


  • Install lombok on Eclipse/IntelliJ

Project Creation

First, let’s use the Spring initializer page to create our maven project with the dependencies listed below.

  1. Go to → https://start.spring.io/
  2. Leave everything as it is and select the following dependencies: Web, Security, JPA, MySQL, Thymeleaf and Lombok.

Click on Generate Project button to download the maven project (demo.zip file).

Import Project into Eclipse or IntelliJ

  1. Unzip the zip file.
  2. Import into Eclipse as “Existing Maven Project
  3. Choose the root directory of the project generated (where the pom.xml file is located) and click on Finish.

Eclipse (Import Project)

IntelliJ(Open Project)

Project Structure Generated

Model Creation

Now let´s create our model classes called User and Role(Entity classes). Lombok is a very useful library used to generate boilerplate code manly for model/data objects.


This class includes validations based on the validations provided by Hibernate.


Data Layer (JPA Repositories)

The repositories allow us to access the information stored in the data base.



Service Layer

Now let´s create our service layer. We will inject the UserRepository, RoleRepository and the BCryptPasswordEncoder into UserService .


Unit Test (Service Layer)

Configuration Files


This class defines the password encoder that we just injected in the service layer.


This class is where the security logic is implemented, let´s analyze the code.

  • Line 21 → password encoder reference implemented in WebMvcConfig.java
  • Line 24 → data source implemented out of the box by Spring Boot. We only need to provide the database information in the application.properties file (please see the reference below).
  • Lines 27 and 30 → Reference to user and role queries stored in application.properties file (please see the reference below).
  • Lines from 33 to 41 → AuthenticationManagerBuilder provides a mechanism to get a user based on the password encoder, data source, user query and role query.
  • Lines from 44 to 61 → Here we define the antMatchers to provide access based on the role(s) (lines 48 to 51), the parameters for the login process (lines 55 to 56), the success login page(line 53), the failure login page(line 53), and the logout page (line 58).
  • Lines from 64 to 68 → Due we have implemented Spring Security we need to let Spring knows that our resources folder can be served skipping the antMatchers defined.

application.properties file

Basically the idea of this file is to setup the configurations in a property file instead of a xml file or a java configuration class.


  • The properties “spring.queries.users-query” and “spring.queries.roles-query” define where the user/role information is stored.
  • Update with your Database credentials.

If you want to see the complete reference of the application.properties file, please refer the next page.

Controller Layer

MVC Logic

By default Spring Boot defines the view resolver in the next way.

  • Prefix → resources/templates
  • Suffix → html

Note: if you want to implement a custom view resolver you can do it using the application.properties file or the a java configuration file.

View Layer



SQL Scripts


This script will be executed every time the application is launched, if you need more roles please include them in this file.

Note: By default Spring Boot will create the database structure if you have provided in the right way your MySQL credentials in the application.properties file.

Register new user



User Registration

As you can see the password has been stored with a Hash algorithm due we have implemented the BCryptPasswordEncoder in our AuthenticationManagerBuilder.

Login Process


Login Fail

Login Success

That’s all folks, as you can see we have implemented a Login process from scratch including password hash strategy. BTW never store passwords in a plain text.

If you have any question or feedback don’t hesitate to write your thoughts in the comments/responses section.

For issues related to code, feel free please create an issue directly in GitHub repository.