# Spring Security: The Magic First Approach

Whenever I learn a new technology, I usually make things work first and later try to understand what is happening in the background. I call this the "Magic First Approach". It's not the most orthodox way of learning, but it's often the most effective.

In this article, we'll take a Magic First approach to Spring Security. We'll dive directly into the practical implementation of Spring Security, and we'll later learn about how things are exactly working.

By the end of this article, you'll be able to implement basic authentication and authorization using spring security.

## Default Security Feature

> Note: In this tutorial, we will be using Spring Boot of version 3.x.x and Spring Security 6.x.x This requires you to use the JDK version above 17.

1. Create a Spring Starter project with spring-web, spring-devtools and
    
    spring-security as dependencies.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1699668690689/aa06bb3c-6370-4766-a117-8094e5ae01f8.png align="center")
    
2. Import and run the project on your preferred IDE.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1699669315952/76a505c7-1005-4ca9-a996-00d9845a84cf.png align="center")
    
    Spring automatically enables security for the application and provides a default password as seen in the below image. This feature can be overridden later with a custom authentication implementation, but let's look at how the default security works.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1699669643384/81949b6f-adf2-47b2-9f0f-a3a25c5066f5.png align="center")
    
3. Now create a REST endpoint for the testing purpose.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1699670415209/981b1ad9-90bd-460d-8473-5fbb6eaa7aa1.png align="center")
    
    The Above Image contains a new package `.controller` and a new controller class `ResourceController` with a REST endpoint `"/test"`. Let's now try to access this endpoint through a browser.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1699670676668/0eccdbb7-5359-400c-adff-9f768d49fcbd.png align="center")
    
4. Spring Security by default doesn't let anyone access the application resources, it redirects to a login page.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1699671398245/593736d7-1789-43df-9d5d-ed94bda5f5ad.png align="center")
    
    The default username is the **user** and the password is the generated password during the application start-up. Enter the username and password and click on login.
    
5. Once you enter proper credentials you should be able to access the application resources.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1699678141944/eee68fad-fde8-4691-b42a-45670c0e2c87.png align="center")
    
    As soon as you log in Spring Security starts maintaining an HttpSession and lets you access the application resources securely.
    
6. Now to log out you can hit the URL `localhost:8080/logout` - It is the default logout URL provided by Spring Security.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1699678407302/d0c46e5c-5754-47e2-87d5-f47e406db4d9.png align="center")
    
    Later you will be able to see this tab below where you have to click on the Logout button to Logout.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1699678429669/90d68274-f911-430a-a4b6-aee2b555704b.png align="center")
    

This article demonstrates on implementing the default authentication and authorization provided by the Spring Security. But this implemention is only for the beginner, later it has to be overriden by custom authentication and authorization logics, which we will see in the next article. Feel free to leave a comment if there are any queries.
