diff --git a/src/main/java/com/example/springsecuritystudy/HomeController.java b/src/main/java/com/example/springsecuritystudy/HomeController.java
new file mode 100644
index 0000000..ac81a70
--- /dev/null
+++ b/src/main/java/com/example/springsecuritystudy/HomeController.java
@@ -0,0 +1,19 @@
+package com.example.springsecuritystudy;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class HomeController {
+
+	@GetMapping("/user")
+	public String user() {
+		return "user";
+	}
+
+	@GetMapping("/admin")
+	public String admin() {
+		return "admin";
+	}
+
+}
diff --git a/src/main/java/com/example/springsecuritystudy/SecurityConfig.java b/src/main/java/com/example/springsecuritystudy/SecurityConfig.java
new file mode 100644
index 0000000..cec72d5
--- /dev/null
+++ b/src/main/java/com/example/springsecuritystudy/SecurityConfig.java
@@ -0,0 +1,47 @@
+package com.example.springsecuritystudy;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+
+@EnableWebSecurity
+public class SecurityConfig {
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		http
+				.authorizeHttpRequests(authorize -> authorize
+						.antMatchers("/user").hasRole("USER")
+						.antMatchers("/admin").hasRole("ADMIN")
+						.anyRequest().authenticated()
+				)
+				.httpBasic(Customizer.withDefaults())
+				.formLogin(Customizer.withDefaults())
+				.logout()
+					.logoutSuccessUrl("/login")
+		;
+		return http.build();
+	}
+
+	@Bean
+	public UserDetailsService users() {
+		User.UserBuilder users = User.withDefaultPasswordEncoder();
+		UserDetails user = users
+				.username("user")
+				.password("user")
+				.roles("USER")
+				.build();
+		UserDetails admin = users
+				.username("admin")
+				.password("admin")
+				.roles("ADMIN")
+				.build();
+		return new InMemoryUserDetailsManager(user, admin);
+	}
+}
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index fd2cd1d..b2809b0 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -1,6 +1,14 @@
 server:
   port: 8080
+  devtools:
+    livereload:
+      enabled: true
+    restart:
+      enabled: true
+    thymeleaf:
+      cache: false
 
 logging:
   level:
     root: info
+#    org.springframework.security: debug
diff --git a/src/main/resources/templates/admin.html b/src/main/resources/templates/admin.html
new file mode 100644
index 0000000..7bdc29f
--- /dev/null
+++ b/src/main/resources/templates/admin.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html
+		lang="ko"
+		xmlns:th="http://www.thymeleaf.org"
+		xmlns:sec="http://www.thymeleaf.org/extras/spring-security"
+>
+<head>
+	<meta charset="UTF-8">
+	<meta name="viewport"
+				content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
+	<meta http-equiv="X-UA-Compatible" content="ie=edge">
+	<title>Spring-Security-Study</title>
+</head>
+<body>
+	<h1>Admin</h1>
+	<a href="/">홈으로</a>
+</body>
+</html>
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index b42893c..f541a3f 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -1,5 +1,9 @@
-<!doctype html>
-<html lang="ko">
+<!DOCTYPE HTML>
+<html
+		lang="ko"
+		xmlns:th="http://www.thymeleaf.org"
+		xmlns:sec="http://www.thymeleaf.org/extras/spring-security"
+>
 <head>
 	<meta charset="UTF-8">
 	<meta name="viewport"
@@ -8,6 +12,9 @@
 	<title>Spring-Security-Study</title>
 </head>
 <body>
-	<h1>안녕하세요</h1>
+	<h1>Spring Security</h1>
+	<a href="/user">user 페이지 바로가기</a>
+	<a href="/admin">admin 페이지 바로가기</a>
+	<a href="/logout">로그아웃</a>
 </body>
 </html>
diff --git a/src/main/resources/templates/user.html b/src/main/resources/templates/user.html
new file mode 100644
index 0000000..b20e657
--- /dev/null
+++ b/src/main/resources/templates/user.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html
+		lang="ko"
+		xmlns:th="http://www.thymeleaf.org"
+		xmlns:sec="http://www.thymeleaf.org/extras/spring-security"
+>
+<head>
+	<meta charset="UTF-8">
+	<meta name="viewport"
+				content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
+	<meta http-equiv="X-UA-Compatible" content="ie=edge">
+	<title>Spring-Security-Study</title>
+</head>
+<body>
+	<h1>User</h1>
+	<a href="/">홈으로</a>
+</body>
+</html>
diff --git a/src/test/java/com/example/springsecuritystudy/HomeControllerTest.java b/src/test/java/com/example/springsecuritystudy/HomeControllerTest.java
new file mode 100644
index 0000000..09c7b98
--- /dev/null
+++ b/src/test/java/com/example/springsecuritystudy/HomeControllerTest.java
@@ -0,0 +1,74 @@
+package com.example.springsecuritystudy;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.*;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.*;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
+import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.*;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
+
+@SpringBootTest
+class HomeControllerTest {
+
+	@Autowired
+	private WebApplicationContext applicationContext;
+	private MockMvc mvc;
+
+	@BeforeEach
+	public void setUp() {
+		mvc = MockMvcBuilders.webAppContextSetup(applicationContext)
+				.apply(springSecurity())
+				.alwaysDo(print())
+				.build();
+	}
+
+	@Test
+	void login_user() throws Exception {
+		mvc.perform(
+				formLogin("/login")
+						.user("user")
+						.password("user")
+		).andExpect(status().is3xxRedirection());
+	}
+
+	@Test
+	void login_admin() throws Exception {
+		mvc.perform(
+				formLogin("/login")
+						.user("admin")
+						.password("admin")
+		).andExpect(status().is3xxRedirection());
+	}
+
+	@Test
+	@WithMockUser
+	void access_user() throws Exception {
+		mvc.perform(
+				get("/user")
+		).andExpect(status().isOk());
+	}
+
+	@Test
+	@WithMockAdmin
+	void access_admin() throws Exception {
+		mvc.perform(
+				get("/admin")
+		).andExpect(status().isOk());
+	}
+
+	@Test
+	@WithMockUser
+	void access_denied() throws Exception {
+		mvc.perform(
+				get("/admin")
+		).andExpect(status().isForbidden());
+	}
+}
diff --git a/src/test/java/com/example/springsecuritystudy/WithMockAdmin.java b/src/test/java/com/example/springsecuritystudy/WithMockAdmin.java
new file mode 100644
index 0000000..274d751
--- /dev/null
+++ b/src/test/java/com/example/springsecuritystudy/WithMockAdmin.java
@@ -0,0 +1,11 @@
+package com.example.springsecuritystudy;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+import org.springframework.security.test.context.support.WithMockUser;
+
+@Retention(RetentionPolicy.RUNTIME)
+@WithMockUser(value="admin", roles="ADMIN")
+public @interface WithMockAdmin {
+}