Nov 11
Rerouting Spring Security 2 Login Page Through a Spring Controller
Interestingly, a month or so after I posted my 5 Minute Guide to Spring Security 2, a commonly asked question was asked on the Spring forums. I figured I’d address it here, because (once again in Spring/Acegi Security integration) the answer wasn’t really obvious.
Essentially, the question goes something like this:
The examples I can find using Spring Security show this “login.jsp” page. How can I pull Spring content into this page?
Typically, you might want to display data on the login page that’s provided by Spring service-layer beans, or tie into the i18n bundles you’ve configured, or tens of other possibilities.
Fortunately, this is possible with a few tweaks to your Spring configuration. In this post, I’ll assume you’ve started with the configuration I wrote up in the initial 5 Minute Guide to Spring Security.
First, as with any Spring action, you will need a controller to handle the Login page display (the form POST is handled by the Spring Security interceptor). A simple annotated controller might look like this:
/** * Simple mapping for login page. * * @author Mularien */ @Controller public class LoginController { private static Logger logger = Logger.getLogger(LoginController.class); @Autowired // stuff required to display header, footer, etc. @RequestMapping("/login.do") public void login() { } @RequestMapping("/accessDenied.do") public ModelAndView accessDenied() { return new ModelAndView("redirect:/index.do"); } }
Now, you can see where we’re going with this. We’ll need a corresponding “login.jsp” page in our views directory, so that the “login.do” mapping works. You’ll need to tweak your Spring Security configuration:
<http auto-config="true" access-denied-page="/accessDenied.do"> <intercept-url pattern="/login.do*" filters="none"/> <intercept-url pattern="/app/*.do" access="ROLE_USER,ROLE_ADMIN" /> <intercept-url pattern="/admin/**/*.do" access="ROLE_ADMIN" /> <form-login login-page="/login.do" authentication-failure-url="/login.do?login_error=1" default-target-url="/app/index.do"/> <logout logout-success-url="/login.do"/> </http>
Note the references to “login.do” and “accessDenied.do” here – these are the mappings we set up in our login controller. Pay attention to the access rules we’ve assigned – the URL intercept for “/login.do*” has no authorization checks applied to it, this is important otherwise users won’t be able to access the login page!
Hope this helps someone! As always, your comments are appreciated.
February 3rd, 2009 at 2:14 pm
Couldn’t you also specify
access="ROLE_ANONYMOUS"for login.do? As I understand Spring Security, anonymous users are automatically put in this role.June 5th, 2009 at 8:22 am
Absolutely excelent post, you surely saved me some days. Thanks, good luck.
February 13th, 2010 at 7:43 pm
I tried this in version 3.0, it did not work and then switched to 2.5 — still getting the same issue.
I get the login page to work , but when I click submit, it seems to be doing nothing?
So my question is — how does the j_spring_security_check link used in the form work? in this scenario
thanks,
Lasalle
February 14th, 2010 at 1:54 pm
Following these instructions I got this to work in 3.0.
Only difference was that I had to use
in my form rather than just
cheers!!
February 14th, 2010 at 1:56 pm
form–action=’/webapp/j_spring_security_check’ instead of /j_spring_security_check’
March 9th, 2010 at 9:25 pm
Nice article, I only wish you’d provide the project structure. I have no idea what those intercept-url patterns refer to…
April 15th, 2010 at 9:31 pm
Okay, where is the Java code that checks the password and logs the user in? Shouldn’t there be code in the controller that reads the username/password and stuffs it into spring-security?
April 16th, 2010 at 8:13 am
@Thomas
That is part of the job of Spring Security. The form ACTION of j_spring_security_check is intercepted by Spring Security, which takes care of all the login stuff.