Persistence top

Get started with Spring Data JPA through the reference Learn Spring Data JPA course:


It’s just plain hard to get true, real-time visibility into a running auth flow.

Parts of the process can be completely hidden from us; if the complete authorization process requires a redirect from a remote OAuth production server, then every debugging effort must go through the production server.

It’s practically unfeasible to debug this locally. There’s no way to reproduce the exact state and no way to inspect what is actually happening under the hood. Not ideal.

Knowing these types of challenges, we built Lightrun - a real-time production debugging tool - to allow you to understand complicated flows with code-level information. Add logs, take snapshots (virtual breakpoints), and instrument metrics without a remote debugger, without stopping the running service, and, most importantly - in real-time and without side effects.

Learn more with this 5-minute tutorial focused on debugging these kinds of scenarios using Lightrun:

>> Debugging Authentication and Authorization Using Lightrun

1. Overview

Spring Security provides a good support for integration with Spring Data. While the former handles security aspects of our application, the latter provides convenient access to the database containing the application's data.

In this article, we'll discuss how Spring Security can be integrated with Spring Data to enable more user-specific queries.

2. Spring Security + Spring Data Configuration

In our introduction to Spring Data JPA, we saw how to setup Spring Data in a Spring project. To enable spring security and spring data, as usual, we can adopt either the Java or XML-based configuration.

2.1. Java Configuration

Recall that from Spring Security Login Form (sections 4 & 5), we can add Spring Security to our project using the annotation based configuration:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    // Bean definitions

Other configuration details would include the definition of filters, beans, and other security rules as required.

To enable Spring Data in Spring Security, we simply add this bean to WebSecurityConfig:

public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
    return new SecurityEvaluationContextExtension();

The above definition enables activation of automatic resolving of spring-data specific expressions annotated on classes.

2.2. XML Configuration

The XML-based configuration begins with the inclusion of the Spring Security namespace:

<beans:beans xmlns=""

Just like in the Java-based configuration, for the XML or namespace based configuration, we'd add SecurityEvaluationContextExtension bean to the XML configuration file:

<bean class="

Defining the SecurityEvaluationContextExtension makes all the common expressions in Spring Security available from within Spring Data queries.

Such common expressions include principal, authentication, isAnonymous(), hasRole([role]), isAuthenticated, etc.

3. Example Usage

Let's consider some use cases of Spring Data and Spring Security.

3.1. Restrict AppUser Field Update

In this example, we'll look at restricting AppUser‘s lastLogin field update to the only currently authenticated user.

By this, we mean that anytime updateLastLogin method is triggered, it only updates the lastLogin field of the currently authenticated user.

To achieve this, we add the query below to our UserRepository interface:

@Query("UPDATE AppUser u SET u.lastLogin=:lastLogin WHERE" 
  +" u.username = ?#{ principal?.username }")
void updateLastLogin (Date lastLogin);

Without Spring Data and Spring Security integration, we'd normally have to pass the username as an argument to updateLastLogin.

In a case where the wrong user credentials are provided, the login process will fail and we do not need to bother about ensuring validation of access.

3.2. Fetch Specific AppUser' Content With Pagination

Another scenario where Spring Data and Spring Security work perfectly hand-in-hand is a case where we need to retrieve content from our database that is owned by the currently authenticated user.

For instance, if we have a tweeter application, we may want to display tweets created or liked by current user on their personalized feeds page.

Of course, this may involve writing queries to interact with one or more tables in our database. With Spring Data and Spring Security, this is as simple as writing:

public interface TweetRepository extends PagingAndSortingRepository<Tweet, Long> {
    @Query("SELECT twt FROM Tweet twt JOIN twt.likes AS lk WHERE lk = ?#{ principal?.username }" +
      " OR twt.owner = ?#{ principal?.username }")
    Page<Tweet> getMyTweetsAndTheOnesILiked(Pageable pageable);

Because we want our results paginated, our TweetRepository extends PagingAndSortingRepository in the above interface definition.

4. Conclusion

Spring Data and Spring Security integration bring a lot of flexibility to managing authenticated states in Spring applications.

In this session, we've had a look at how to add Spring Security to Spring Data. More about other powerful features of Spring Data or Spring Security can be found in our collection of Spring Data and Spring Security articles.

As usual, code snippets can be found over on GitHub.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

Persistence bottom
Get started with Spring Data JPA through the reference Learn Spring Data JPA course: >> CHECK OUT THE COURSE
Security footer banner
Comments are closed on this article!