diff --git a/src/main/java/com/mousetech/gourmetj/SpringSecurityConfig.java b/src/main/java/com/mousetech/gourmetj/SpringSecurityConfig.java
new file mode 100644
index 0000000..683f4f9
--- /dev/null
+++ b/src/main/java/com/mousetech/gourmetj/SpringSecurityConfig.java
@@ -0,0 +1,43 @@
+package com.mousetech.gourmetj;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@EnableWebSecurity
+public class SpringSecurityConfig
+		extends WebSecurityConfigurerAdapter {
+
+	@Override
+	protected void configure(HttpSecurity http)
+			throws Exception {
+		// require all requests to be authenticated except
+		// for the resources
+		http.authorizeRequests()
+			.antMatchers("/javax.faces.resource/**", "/main.jsf",
+				"/img/**", "/recipeDetails.jsf")
+			.permitAll().anyRequest().authenticated();
+		// login
+		http.formLogin()// .loginPage("/login.xhtml")
+			.permitAll();
+		// .failureUrl("/login.xhtml?error=true");
+		// logout
+//			http.logout().logoutSuccessUrl("/login.xhtml");
+		// not needed as JSF 2.2 is implicitly protected
+		// against CSRF
+		http.csrf().disable();
+	}
+
+	@Autowired
+	public void configureGlobal(
+			AuthenticationManagerBuilder auth) throws Exception {
+		auth.inMemoryAuthentication().withUser("tim.holloway")
+			.password("{noop}secret").roles("ADMIN").and()
+			.withUser("jane.doe").password("{noop}5678")
+			.roles("USER");
+	}
+}