Spring Security: Authentication and Authorization Using Custom Login Page

Concept Overview

In the Earlier tutorial we got an introduction to Spring security using XML. Spring can be configured to provide login and logout capabilities to an application. Spring provides a default login page that can be made available by simply turning on a variable in the spring configuration file. However, in most cases we would like to use our own login page and then delegate the request to spring login URL. In this example we look at how to do that.


Sample Program Overview

In this example we show how a custom login page can be used with spring based authentication and authorization


Required Libraries
  • aopalliance-1.0.jar
  • aspectjweaver-1.6.10.jar
  • commons-logging-1.1.1.jar
  • embeddedwebserver.jar
  • jstl-1.2.jar
  • org.springframework.web.servlet.jar
  • servlet-api-2.5.jar
  • spring-aop-3.0.7.RELEASE.jar
  • spring-asm-3.0.7.RELEASE.jar
  • spring-beans-3.0.7.RELEASE.jar
  • spring-context-3.0.7.RELEASE.jar
  • spring-core-3.0.7.RELEASE.jar
  • spring-expression-3.0.7.RELEASE.jar
  • spring-jdbc-3.0.7.RELEASE.jar
  • spring-security-config-3.1.4.RELEASE.jar
  • spring-security-core-3.1.4.RELEASE.jar
  • spring-security-web-3.1.4.RELEASE.jar
  • spring-tx-3.0.7.RELEASE.jar
  • spring-web-3.0.7.RELEASE.jar


Code Package Structure

Interaction Flow


  1. User accesses a URL on a web application
  2. The web application refers to web.xml
  3. The web.xml matches the URL pattern
  4. The control is redirected to DispatcherServlet in Spring framework
  5. Spring framework finds that the all URLs are secured. It also finds a custom login page is configured and forwards the request to the LoginController which is a Spring MVC Controller
  6. The LoginController redirects to the Custom Login Page
  7. The user enters his login name and password and submits the custom login form
  8. Spring performs authentication and authorization of user’s credentials against the entires in Spring Configuration file and redirects to LoginController
  9. LoginController displays the originally accessed URL upon successfull authentication



Source Code

Create the LoginController class as shown below. This is Spring MVC Controller class. Please see Related Trail
Spring MVC Basics
for more details.

Map the request
/main
to
printWelcome()
method and redirect to main_page.jsp after setting ‘username’ attribute with the logged in user’s name. (see lines 12-19 below).

Map the request
/login
to
login()
method and redirect to login_page.jsp (see lines 21-26 below).

Map the request
/loginError
to
loginError()
method and redirect to login_page.jsp after setting the ‘error’ attribute to ‘true’. (see lines 28-33 below).






Create the custom login page JSP (as shown below) that is used in Spring Security .

The important aspects to note in this JSP are:

  • The user name should be stored in a parameter named j_username (see line 23 below)
  • The password name should be stored in a parameter named j_password (see line 28 below)
  • This form should be submitted to the URL j_spring_security_check
  • Login error is handled by checking for attribute named ‘error’ (see lines 9-15 below)



Create the main page as shown below.

It welcomes the user by getting the logged in user’s name from the
username
attribute.

Note that this attribute was set in LoginController’s
printWelcome()
method
described earlier
.





Create the web.xml file as shown below.

Register Spring’s DispatcherServlet used to register handlers for processing the web request (see lines 29-38 below).

Define filter-mapping and filter for DelegatingFilterProxy (see lines 15-23 below). This filter shall delegate the call to a class that implements
javax.servlet.Filter
and is registered as Spring bean.

Note: In this example we do not have to specifically create a class that implements
javax.servlet.Filter
. This is automatically available to us when we configure our Spring configuration file using
security:http
in springmvcdispatcher-servlet.xml file described later .

Also configure that ContextLoaderListener (see lines 25-27 below).

Finally provide the location of Spring’s configuration file in web.xml (see lines 9-13 below).

Create the springmvcdispatcher-servlet.xml as shown below.

Allow annotation based Spring MVC controller declaration by using
context:component-scan
tag (see line 15 below).

Configure Spring such that the prefix
/views
and the suffix
.jsp
should be added to the name of the view JSP (see lines 18-26 below) as specified in return statements in all methods of LoginController class
(described earlier)



Create the spring-config.xml configuration file as mentioned below.

Configure Spring security using
security:http
tag (see lines 14-18 below).

Note that when URL fragment
/main
is accessed then security interceptor will be invoked (see line 15 below) and can be accessed by a user having ‘ROLE_ADMIN’ authorization.

Also note that custom login page is mentioned using
login-page
attribute. The error page to be displayed is also mentioned using
authentication-failure-url
attribute.

The URLs
/main
,
/login
and
/loginError
were mapped in LoginController
(described earlier)

Specify the authentication and authorization credentials for valid users (see lines 20-26 below). Note in particular the
<security:user>
tag using which the name, password and authorization role for a user is specified (see line 23 below).

This demonstrates the declarations required to display custom login page.


Running Sample Program

This sample program has been packaged as a jar installer which will copy the source code (along with all necessary dependencies)on your machine and automatically run the program for you as shown in the steps below. As this sample program contains Java Server Pages (JSPs), you will need Java Development Kit (JDK preferably 1.5 or higher) on your machine so that the JSPs can be complied locally. Note that no other setup is required on your machine! Also please ensure that the port 8080 is not being used by any other program on your machine.

Download And Automatically Run Sample Program
  • Save the springsecuritycustomloginpage-installer.jar on your machine
  • Execute/Run the jar using Java Runtime Environment


  • (Alternatively you can go the folder containing the springsecuritycustomloginpage-installer.jar and execute the jar using
    java -jar springsecuritycustomloginpage-installer.jar
    command)

  • You will see a wizard as shown below. Enter the location of Java Development Kit (JDK) and Click ‘Next’ button.
  • You will see a wizard page as shown below
  • Enter the location of the directory where you want the program to install and run (say, C:\Temp)
  • The installer will copy the program on your machine and automatically start the inbuilt webserver on your machine as shown below.
  • Go to the URL http://localhost:8080/springsecuritycustomloginpage/main. The custom login page will be displayed as shown below
  • Enter invalid credentials with username ‘beta’ and password ‘abcd’ as shown below
  • Click on Submit button. The error message will be displayed as shown below
  • Enter valid credentials with username ‘alpha’ and password ‘pass1’ (Note that these credential were configured in spring-config.xml described earlier)
  • Click on Submit button. The main page with welcome message will be displayed as shown below
  • This demonstrates the successful execution of the sample program on your machine
  • Browsing the Program

    This source code for this program is downloaded in the folder specified by you (say, C:\Temp) as an eclipse project called
    springsecuritycustomloginpage
    . All the required libraries have also been downloaded and placed in the same location. You can open this project from Eclipe IDE and directly browse the source code. See below for details of the project structure.

    Redeploying this sample program in a different web server

    The WAR file for this example is available as springsecuritycustomloginpage.war in the download folder specified by you earlier (e.g. C:\Temp). The path for the WAR file is <DOWNLOAD_FOLDER_PATH>/springsecuritycustomloginpage /dist/springsecuritycustomloginpage.war.

    This WAR file can be deployed in any webserver of your choice and example can be executed.

    1 thought on “Spring Security: Authentication and Authorization Using Custom Login Page”

    1. Where is the code ? I am finding everywhere line no 12 ,line no 20 ,or described below etc but unable to find code .Please make me understand ? By the way flow is good . So kindly provide the code please.

      Reply

    Leave a Comment