In the Earlier tutorial we got an introduction to Spring security using XML. Spring can be configured to provide login and logout capabilities to an application. Spring provides a default login page that can be made available by simply turning on a variable in the spring configuration file. However, in most cases we would like to use our own login page and then delegate the request to spring login URL. In this example we look at how to do that.
Sample Program Overview
In this example we show how a custom login page can be used with spring based authentication and authorization
- User accesses a URL on a web application
- The web application refers to web.xml
- The web.xml matches the URL pattern
- The control is redirected to DispatcherServlet in Spring framework
- Spring framework finds that the all URLs are secured. It also finds a custom login page is configured and forwards the request to the LoginController which is a Spring MVC Controller
- The LoginController redirects to the Custom Login Page
- The user enters his login name and password and submits the custom login form
- Spring performs authentication and authorization of user’s credentials against the entires in Spring Configuration file and redirects to LoginController
- LoginController displays the originally accessed URL upon successfull authentication
Create the LoginController class as shown below. This is Spring MVC Controller class. Please see Related Trail
Spring MVC Basics
for more details.
Map the request
method and redirect to main_page.jsp after setting ‘username’ attribute with the logged in user’s name. (see lines 12-19 below).
Map the request
method and redirect to login_page.jsp (see lines 21-26 below).
Create the custom login page JSP (as shown below) that is used in Spring Security .
The important aspects to note in this JSP are:
- The user name should be stored in a parameter named j_username (see line 23 below)
- The password name should be stored in a parameter named j_password (see line 28 below)
- This form should be submitted to the URL j_spring_security_check
- Login error is handled by checking for attribute named ‘error’ (see lines 9-15 below)
Create the main page as shown below.
It welcomes the user by getting the logged in user’s name from the
Note that this attribute was set in LoginController’s
Create the web.xml file as shown below.
Register Spring’s DispatcherServlet used to register handlers for processing the web request (see lines 29-38 below).
Define filter-mapping and filter for DelegatingFilterProxy (see lines 15-23 below). This filter shall delegate the call to a class that implements
and is registered as Spring bean.
Note: In this example we do not have to specifically create a class that implements
. This is automatically available to us when we configure our Spring configuration file using
in springmvcdispatcher-servlet.xml file described later .
Also configure that ContextLoaderListener (see lines 25-27 below).
Finally provide the location of Spring’s configuration file in web.xml (see lines 9-13 below).
Create the springmvcdispatcher-servlet.xml as shown below.
Allow annotation based Spring MVC controller declaration by using
tag (see line 15 below).
Configure Spring such that the prefix
and the suffix
should be added to the name of the view JSP (see lines 18-26 below) as specified in return statements in all methods of LoginController class
Configure Spring security using
tag (see lines 14-18 below).
Note that when URL fragment
is accessed then security interceptor will be invoked (see line 15 below) and can be accessed by a user having ‘ROLE_ADMIN’ authorization.
Also note that custom login page is mentioned using
attribute. The error page to be displayed is also mentioned using
were mapped in LoginController
Specify the authentication and authorization credentials for valid users (see lines 20-26 below). Note in particular the
tag using which the name, password and authorization role for a user is specified (see line 23 below).
This demonstrates the declarations required to display custom login page.
This sample program has been packaged as a jar installer which will copy the source code (along with all necessary dependencies)on your machine and automatically run the program for you as shown in the steps below. As this sample program contains Java Server Pages (JSPs), you will need Java Development Kit (JDK preferably 1.5 or higher) on your machine so that the JSPs can be complied locally. Note that no other setup is required on your machine! Also please ensure that the port 8080 is not being used by any other program on your machine.
(Alternatively you can go the folder containing the springsecuritycustomloginpage-installer.jar and execute the jar using
java -jar springsecuritycustomloginpage-installer.jar
This source code for this program is downloaded in the folder specified by you (say, C:\Temp) as an eclipse project called
. All the required libraries have also been downloaded and placed in the same location. You can open this project from Eclipe IDE and directly browse the source code. See below for details of the project structure.
The WAR file for this example is available as springsecuritycustomloginpage.war in the download folder specified by you earlier (e.g. C:\Temp). The path for the WAR file is <DOWNLOAD_FOLDER_PATH>/springsecuritycustomloginpage /dist/springsecuritycustomloginpage.war.
This WAR file can be deployed in any webserver of your choice and example can be executed.