This article is going to focus on Login with Spring Security<\/strong>. We\u2019re going to built on top of the simple previous Spring MVC example<\/a>, as that\u2019s a necessary part of setting up the web application along with the login mechanism.<\/p>\n To add Maven dependencies to the project, please see the Spring Security with Maven article<\/a>. Both standard spring-security-web<\/em> and spring-security-config<\/em> will be required.<\/p>\n The Spring Security configuration in the web.xml<\/em> is simple \u2013 only an additional filter added to the standard Spring MVC web.xml<\/em>:\u00a0<\/em><\/p>\n The filter \u2013 DelegatingFilterProxy<\/em> \u2013 simply delegates to a Spring managed bean \u2013 the FilterChainProxy<\/em> \u2013 which itself is able to benefit from full Spring bean lifecycle management and such.<\/p>\n The Spring configuration is mostly written in Java, but Spring Security configuration doesn\u2019t yet support full Java and still needs to be XML for the most part. There is an ongoing effort to add Java based configuration for Spring Security<\/a>, but this is not yet mature. The overall project is using Java configuration, so the XML configuration file needs to be imported via a Java @Configuration<\/em> class:<\/p>\n The Spring Security XML Configuration \u2013 webSecurityConfig.xml<\/em>:<\/p>\n We are allowing anonymous access on \/login<\/em> so that users can authenticate. We are also securing everything else.<\/p>\n Note that the order of the <intercept-url><\/em><\/strong> element is significant \u2013 the more specific rules need to come first, followed by the more general ones.<\/p>\n The Authentication Provider is backed by a simple, in-memory implementation \u2013 InMemoryUserDetailsManager<\/em> specifically\u00a0 \u2013 configured in plain text. This only exists in Spring 3.1 and above and is meant to be used for rapid prototyping when a full persistence mechanism is not yet necessary.<\/p>\n The login form page is going to be registered with Spring MVC using the straightforward mechanism to map views names to URLs<\/a> with no need for an explicit controller in between:<\/p>\n This of course corresponds to the login.jsp<\/em>:<\/p>\n The Spring Login form<\/strong> has the following relevant artifacts:<\/p>\n We briefly discussed a few configurations of the login mechanism when we introduced the Spring Security XML Configuration above \u2013 let\u2019s go into some detail now.<\/p>\n One reason to override most of the defaults in Spring Security is to hide the fact that the application is secured with Spring Security<\/strong> and minimize the information a potential attacker knows about the application.<\/p>\n Fully configured, the <form-login><\/em> element looks like this:<\/p>\n The custom login page is configured via the login-page<\/em> attribute on <form-login><\/em>:<\/p>\n If this is not specified, a default URL is used \u2013 spring_security_login<\/em> \u2013 and Spring Security will generate a very basic Login Form at that URL.<\/p>\n The default URL where the Spring Login will POST to trigger the authentication process is \/j_spring_security_check<\/em>.<\/p>\n This URL can be overridden via the login-processing-url<\/em> attribute on <form-login><\/em>:<\/p>\n A good reason to override this default URL is to hide the fact that the application is actually secured with Spring Security \u2013 that information should not be available externally.<\/p>\n After a successful Login process, the user is redirected to a page \u2013 which by default is the root of the web application.<\/p>\n This can be overridden via the default-target-url<\/em> attribute on <form-login><\/em>:<\/p>\n In case the always-use-default-target<\/em> is set to true, then the user is always redirected to this page. If that attribute is set to false, then the user will be redirected to the previous page they wanted to visit before being promoted to authenticate.<\/p>\n Same as with the Login Page, the Login Failure Page is autogenerated by Spring Security at \/spring_security_login?login_error<\/em> by default.<\/p>\n This can be overridden via the authentication-failure-url<\/em> attribute<\/strong> on <form-login><\/em>:<\/p>\n In this Spring Login Example<\/strong> we configured a simple authentication process \u2013 we discussed the Spring Security Login Form, the Security XML Configuration and some of the more advanced customizations available in the namespace.<\/p>\n The implementation of this Spring Login tutorial can be found in the github project<\/a> \u2013 this is an Eclipse based project, so it should be easy to import and run as it is.<\/p>\n When the project runs locally, the sample html can be accessed at:<\/p>\n <\/p>\n 1. Introduction This article is going to focus on Login with Spring Security. We\u2019re going to built on top of the simple previous Spring MVC example, as that\u2019s a necessary part of setting up the web application along with the login mechanism. 2. The Maven Dependencies To add Maven dependencies to the project, please see …<\/p>\n","protected":false},"author":104,"featured_media":242,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[30,125],"class_list":["post-16842","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-java","tag-spring","tag-spring-security"],"yoast_head":"\n2. The Maven Dependencies<\/h2>\n
3. The web.xml<\/em><\/h2>\n
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<web-app xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n xmlns=\"http:\/\/java.sun.com\/xml\/ns\/javaee\" \r\n xmlns:web=\"http:\/\/java.sun.com\/xml\/ns\/javaee\/web-app_3_0.xsd\"\r\n xsi:schemaLocation=\"\r\n http:\/\/java.sun.com\/xml\/ns\/javaee \r\n http:\/\/java.sun.com\/xml\/ns\/javaee\/web-app_3_0.xsd\" \r\n id=\"WebApp_ID\" version=\"3.0\">\r\n\r\n <display-name>Spring Secured Application<\/display-name>\r\n\r\n <!-- Spring MVC -->\r\n <servlet>\r\n <servlet-name>mvc<\/servlet-name>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <servlet-class>org.springframework.web.servlet.DispatcherServlet<\/servlet-class>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <load-on-startup>1<\/load-on-startup>\r\n\u00a0\u00a0 <\/servlet>\r\n\u00a0\u00a0 <servlet-mapping>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <servlet-name>mvc<\/servlet-name>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <url-pattern>\/<\/url-pattern>\r\n\u00a0\u00a0 <\/servlet-mapping>\r\n\r\n <context-param>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <param-name>contextClass<\/param-name>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <param-value>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 org.springframework.web.context.support.AnnotationConfigWebApplicationContext\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <\/param-value>\r\n\u00a0\u00a0 <\/context-param>\r\n\u00a0\u00a0 <context-param>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <param-name>contextConfigLocation<\/param-name>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <param-value>org.baeldung.spring.web.config<\/param-value>\r\n\u00a0\u00a0 <\/context-param>\r\n\u00a0\u00a0 <listener>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <listener-class>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 org.springframework.web.context.ContextLoaderListener\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 <\/listener-class>\r\n\u00a0\u00a0 <\/listener>\r\n\r\n <!-- Spring Security -->\r\n <filter>\r\n <filter-name>springSecurityFilterChain<\/filter-name>\r\n <filter-class>org.springframework.web.filter.DelegatingFilterProxy<\/filter-class>\r\n <\/filter>\r\n <filter-mapping>\r\n <filter-name>springSecurityFilterChain<\/filter-name>\r\n <url-pattern>\/*<\/url-pattern>\r\n <\/filter-mapping>\r\n\r\n<\/web-app><\/pre>\n
2. The Spring Security configuration<\/h2>\n
@Configuration\r\n@ImportResource({ \"classpath:webSecurityConfig.xml\" })\r\npublic class SecSecurityConfig {\r\n public SecSecurityConfig() {\r\n super();\r\n }\r\n}<\/pre>\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<beans:beans xmlns=\"http:\/\/www.springframework.org\/schema\/security\" \r\n xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n xmlns:beans=\"http:\/\/www.springframework.org\/schema\/beans\"\r\n xsi:schemaLocation=\"\r\n http:\/\/www.springframework.org\/schema\/security \r\n http:\/\/www.springframework.org\/schema\/security\/spring-security-3.1.xsd\r\n http:\/\/www.springframework.org\/schema\/beans \r\n http:\/\/www.springframework.org\/schema\/beans\/spring-beans-3.2.xsd\">\r\n\r\n <http use-expressions=\"true\">\r\n <intercept-url pattern=\"\/login*\" access=\"isAnonymous()\" \/>\r\n <intercept-url pattern=\"\/**\" access=\"isAuthenticated()\"\/>\r\n\r\n <form-login \r\n login-page='\/login.html' \r\n default-target-url=\"\/homepage.html\" \r\n authentication-failure-url=\"\/login.html?error=true\" \/>\r\n\r\n <logout logout-success-url=\"\/login.html\" \/>\r\n\r\n <\/http>\r\n <authentication-manager>\r\n <authentication-provider>\r\n <user-service>\r\n <user name=\"user1\" password=\"user1Pass\" authorities=\"ROLE_USER\" \/>\r\n <\/user-service>\r\n <\/authentication-provider>\r\n <\/authentication-manager>\r\n<\/beans:beans><\/pre>\n
2.1. <intercept-url><\/em><\/h4>\n
2.2. <form-login><\/em><\/h4>\n
\n
2.3. <authentication-manager><\/em><\/h4>\n
3. The Login Form<\/h2>\n
registry.addViewController(\"\/login.html\");<\/pre>\n
<html>\r\n<head><\/head>\r\n<body>\r\n <h1>Login<\/h1>\r\n <form name='f' action=\"j_spring_security_check\" method='POST'>\r\n <table>\r\n <tr>\r\n <td>User:<\/td>\r\n <td><input type='text' name='j_username' value=''><\/td>\r\n <\/tr>\r\n <tr>\r\n <td>Password:<\/td>\r\n <td><input type='password' name='j_password' \/><\/td>\r\n <\/tr>\r\n <tr>\r\n <td><input name=\"submit\" type=\"submit\" value=\"submit\" \/><\/td>\r\n <\/tr>\r\n <\/table>\r\n <\/form>\r\n<\/body>\r\n<\/html><\/pre>\n
\n
4. Further Configuring Spring Login<\/h2>\n
<form-login \r\n login-page='\/login.html' \r\n login-processing-url=\"\/perform_login\" \r\n default-target-url=\"\/homepage.html\"\r\n authentication-failure-url=\"\/login.html?error=true\" \r\n always-use-default-target=\"true\"\/><\/pre>\n
4.1. The Login page<\/h4>\n
login-page='\/login.html'<\/pre>\n
4.2. The POST URL for Login<\/h4>\n
login-processing-url=\"\/perform_login\"<\/pre>\n
4.3. The Landing page on Success<\/h4>\n
default-target-url=\"\/homepage.html\"<\/pre>\n
4.4. The Landing page on Failure<\/h4>\n
authentication-failure-url=\"\/login.html?error=true\"<\/pre>\n
5. Conclusion<\/h2>\n
\n