Spring Security Custom Login Form Example – XML Configuration

In the previous Spring Security Hello World Example, we have built a simple Spring MVC Hello World application and took the advantage of Spring Security by using the default login form provided. In this tutorial, we will go a bit further and build our own login for our Spring Security Custom Login Form application.

Let’s build a Spring MVC application with the home page which will be accessible to everyone, and we will be having admin page which will be accessible to only to the user with admin rights. When the user tries to access the admin page the user will be redirected to the custom login form which we build and asked to log in, if the credentials entered matches the admin privilege then only he will be allowed in.

Folder Structure:

1. Create a simple Maven Project “SpringSecurityTutorial” and create a package for our source files “com.javainterviewpoint” under  src/main/java 
2. Now add the following dependency in the POM.xml

   <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0	http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.javainterviewpoint</groupId>
    <artifactId>SpringSecurityTutorial</artifactId>
    <packaging>war</packaging>
    <version>0.0.1-SNAPSHOT</version>
    <name>SpringSecurityTutorial Maven Webapp</name>
    <url>http://maven.apache.org</url>
    <dependencies>
      <dependency>
        <groupId>junit</groupId>
        <artifactId>junit</artifactId>
        <version>3.8.1</version>
        <scope>test</scope>
      </dependency>
      <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>3.1.0</version>
      </dependency>
   
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-core</artifactId>
        <version>${spring.version}</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>${spring.version}</version>
      </dependency>
      <!-- Spring Security -->
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>${security.version}</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>${security.version}</version>
      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>${security.version}</version>
      </dependency>
      <dependency>
        <groupId>jstl</groupId>
        <artifactId>jstl</artifactId>
        <version>1.2</version>
      </dependency>
    </dependencies>
    <build>
    <finalName>SpringSecurityTutorial</finalName>
    </build>
    <properties>
    <spring.version>4.2.1.RELEASE</spring.version>
    <security.version>4.0.3.RELEASE</security.version>
    <jdk.version>1.7</jdk.version>
    </properties>
   </project>

3. Create the Java class HelloController.java under  com.javainterviewpoint folder.
4. Place the SpringConfig-servlet.xml,SpringSecurity.xml and web.xml  under the WEB-INF directory
5. View files index.jsp, hello.jsp,login.jsp,logout.jsp and admin.jsp are put under the sub directory under WEB-INF/Jsp

Spring Security Custom Login Form

web.xml

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee	http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
	version="3.1">
	<display-name>Archetype Created Web Application</display-name>
	<servlet>
		<servlet-name>SpringConfig</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<init-param>
			<param-name>contextConfigLocation</param-name>
			<param-value>
				/WEB-INF/SpringConfig-servlet.xml,
				/WEB-INF/SpringSecurity.xml
			</param-value>
		</init-param>
	</servlet>
	<servlet-mapping>
		<servlet-name>SpringConfig</servlet-name>
		<url-pattern>/</url-pattern>
	</servlet-mapping>

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>

	<!-- Loads Spring Security configuration file -->
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/SpringConfig-servlet.xml,
			/WEB-INF/SpringSecurity.xml
		</param-value>
	</context-param>

	<!-- Spring Security filter -->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
</web-app>

• The web.xml has everything about the application that a server needs to know, which is placed under the WEB-INF directory.  It contains the name of the SpringConfiguration file, when the DispatcherServlet is initialized the framework will try to load a configuration file “[servlet-name]-servlet.xml” under the WEB-INF directory. We will also be mentioning the location of the SpringSecurity.xml
• Spring Security depends on the Servlet filter, we will be using the filter “DelegatingFilterProxy” which provides the link between web.xml and application context. (Note : The filter name should only be “springSecurityFilterChain” )

SpringConfig-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
 xmlns:context="http://www.springframework.org/schema/context"
 xmlns:mvc="http://www.springframework.org/schema/mvc"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
 http://www.springframework.org/schema/context
 http://www.springframework.org/schema/context/spring-context-3.2.xsd
 http://www.springframework.org/schema/mvc
 http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">

 <mvc:annotation-driven />
 <context:component-scan base-package="com.javainterviewpoint" />

 <bean id="viewResolver"
   class="org.springframework.web.servlet.view.InternalResourceViewResolver">
   <property name="prefix" value="/WEB-INF/Jsp/" />
   <property name="suffix" value=".jsp" />
 </bean>

</beans>

• The SpringConfig-servlet.xml is also placed under the WEB-INF directory.
• <context:component-scan> will let the Spring Container to search for all the annotation under the package “com.javainteriviewpoint”. 
• <mvc:annotation-driven/> annotation will activate the @Controller, @RequestMapping, @Valid etc annotations.
• The view is resolved through “org.springframework.web.servlet.view.InternalResourceViewResolver” which searches for the jsp files under the /WEB-INF/Jsp/ directory.

SpringSecurity.xml

 <beans:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 http://www.springframework.org/schema/security
 http://www.springframework.org/schema/security/spring-security.xsd">
 
 <http auto-config='true'>
   <intercept-url pattern="/admin*" access="hasRole('ROLE_ADMIN')" />
   <form-login
       login-page="/login"
       authentication-failure-url="/error"
       username-parameter="username"
       password-parameter="password" />
       <csrf/>
   <logout logout-success-url="/logout" />
 </http>
 
 <authentication-manager>
   <authentication-provider>
     <user-service>
       <user name="test" password="test" authorities="ROLE_ADMIN" />
     </user-service>
    </authentication-provider>
 </authentication-manager> 
 
</beans:beans>

• The <http> tag allows you to configure the Security Settings and access constraints for the web application.
• We have used the <form-login> tag, so when ever the user tries to login into our application he will be authenticated with help of  the form-login configuration. Lets get some basic understanding of the <form-login> tag.
  • login-page : This the name of our custom login page.
  • authentication-failure-url : Page to which the user has to be forwarded if he has entered invalid credentials
  • username-parameter : Name of the username field
  • password-parameter : Name of the password field
  • csrf :  This is to enable the Cross Site Request Forgery (CSRF) protection, this will be by default disabled.
• The <intercept-url> element defines the pattern which will be matched against the URLs of the incoming requests, the access attribute validates the role which is required for accessing the URL.
• <authentication-manager> tag has authentication properties through which the user will have access to different pages.
• <authentication-provider> tag specifies the username and password. For our application, we have used the username as “test” and Password as “test” and the authority as “ROLE_ADMIN”

HelloController.java

package com.javainterviewpoint;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class HelloController
{
    @RequestMapping("/hello")
    public ModelAndView hello()
    {
        String welcomeMessage = "Hello controller Welcome Message";
        return new ModelAndView("hello", "welcomeMessage", welcomeMessage);
    }
    @RequestMapping("/admin")
    public ModelAndView admin()
    {
        String welcomeMessage = "Welcome to Admin Page !!";
        return new ModelAndView("admin", "welcomeMessage", welcomeMessage);
    }

    @RequestMapping("/error")
    public String error(ModelMap model)
    {
        model.addAttribute("error", "true");
        return "login";

    }

    @RequestMapping("/login")
    public String login()
    {
        System.out.println("Inside login");
        return "login";
    }
    @RequestMapping("/logout")
    public String logout()
    {
        return "logout";
    }
}

• Our HelloController has two methods
  • hello() – when the user hits on the URL “/hello” this method gets called and the user will be redirected to the “hello.jsp”
  • admin() – when the user hits on the URL “/admin” this method gets called and the user will be redirected to the login page, only when the user keys in a valid credentials he will be allowed see the “admin.jsp”.
  • Additionally we have added login(), logout() and error() methods for redirecting to the respective pages.

index.jsp

 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%response.sendRedirect("hello");%>
<html>
<body>
<h2>Hello World!</h2>
</body>
</html>

hello.jsp

 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<html>
<head>
<title>Spring Security</title>
</head>
<body>
 <h2>Spring Security Tutorial Hello World Example !!!</h2>
 <h4>${welcomeMessage}</h4>
 <h4>
 <a href="admin">Admin Page</a> || <a href="<c:url value="logout" />">Logout</a>
 </h4>
</body>
</html>

admin.jsp

 <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
 pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Spring Security Tutorial - Admin Page</title>
</head>
<body>
 <h3>${welcomeMessage}</h3>
</body>
</html>

login.jsp

 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Custom Login Page</title>
</head>
<body>
 <h3>Custom Login Page</h3>
 <%
 String error = (String) request.getAttribute("error");
 if (error != null &&error.equals("true"))
 {
 out.println("<h4 style=\"color:red\">Invalid login credentials. Please try again!!</h4>");
 }
 %>
 <form name='loginForm' action="<c:url value='login' />" method='POST'>

 <table>
 <tr>
 <td>User:</td>
 <td><input type='text' name='username' value=''></td>
 </tr>
 <tr>
 <td>Password:</td>
 <td><input type='password' name='password' /></td>
 </tr>
 <tr>
 <td><input name="submit" type="submit" value="submit" /></td>
 <td><input name="reset" type="reset" /> <input type="hidden"
 name="${_csrf.parameterName}" value="${_csrf.token}" /></td>

 </tr>
 </table>

 </form>
</body>
</html>

we have added CSRF parameters in our login page to prevent the CSRF attacks.

<input name="reset" type="reset" /> <input type="hidden"
 name="${_csrf.parameterName}" value="${_csrf.token}" />

logout.jsp

 <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
 pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body> 
 <h3>You are successfully logged out!!!</h3>
</body>
</html>

Output

Hit on the URL : http://localhost:8080/SpringSecurityTutorial/hello

Hit on the URL : http://localhost:8080/SpringSecurityTutorial/admin

You will be asked to login, if invalid password is entered you will get the below error and again redirected to the login page.

Only when you enter the valid credentials you will be allowed to see the admin page.