Customize Spring Security Settings

We can customize Spring Security settings to specify our own properties to be used by Spring. In this tutorial we will learn the setting that we can provide to use:

  1. Our own Login page.
  2. Specify the page to which the Spring Security will forward the user after logout.
  3. Put logout options in secure pages.
  4. Put an extra option of remember me in login form.
  5. Making a page public.

We will take our previous example of configuring Spring Security and modify the example to do the above specified customization. So, you have not read the previous tutorial of configuring spring security then read from here.

Creating own Spring Security login form (login.jsp)


<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Login Page</title>
</head>
<body>
    <form name="f" action="<c:url value='/j_spring_security_check'/>" method="POST">
        <table>
            <tr><td colspan='2'>
            <h1>Login</h1>

            <c:if test="${not empty param.login_error}">
            <font color="red">
                Username and Password do not match. Try again.<br/><br/>
            </font>
            </c:if>
            </td></tr>
            <tr><td>User:</td><td><input type='text' name='j_username'
            value='<c:if test="${not empty param.login_error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/></td></tr>
            <tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>
            <tr><td><input type="checkbox" name="_spring_security_remember_me"></td>
            <td>Don't ask for my password for two weeks</td></tr>

            <tr><td colspan='2'><input name="submit" type="submit" value="Login">
            <input name="reset" type="reset"></td></tr>
        </table>

    </form>
</body>
</html>

Our login form must have two input boxes with name “j_username” for username and “j_password” for password. Name with “_spring_security_remember_me” checkbox is used when me want to use “remember me” option in our login form. “param.login_error” is the model object to store errors if username or password provided by the user is not valid. We have used this object to show customized error message in login form. “SPRING_SECURITY_LAST_USERNAME” model object stores last username that is invalid.

Changing Spring Security Setting in security.xml


<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http realm="Project Realm" auto-config="true">
        <intercept-url pattern="/auth/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/**" access="ROLE_ADMIN"/>
        <form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>
        <logout logout-success-url="/auth/login.jsp"/>
        <remember-me />
    </http>

    <authentication-manager>
        <authentication-provider>
            <password-encoder hash="md5"/>
            <user-service>
                <user name="admin" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_ADMIN"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>
</b:beans>

We have modified our spring security configuration file to do the following:

  1. Defining own login page: We have define our own login form using the tag <form-login/>. login-page attribute is used to specify the page to be show to user for login purpose. authentication-failure-url attribute is used to specify the page to be show if login credentials are invalid.
  2. Activating “remember me” option: <remember-me /> tag is used to activate the remember me option in spring security. Spring Security will remember the user for two weeks.
  3. Defining logout page: <logout/> tag is used to define the page on which Spring Security will forward the user after successful logout.
  4. Making a page public: To make the login.jsp page public we have specified the access attribute as “IS_AUTHENTICATED_ANONYMOUSLY”. That means any one can open this page without authentication.

Creating logout option in secure pages (welcome.jsp)

<a href="<c:url value="/j_spring_security_logout"/>">Logout</a>

Put the above code in any secure page. The link will make the user logout. “/j_spring_security_logout” url is mapped to Spring Security classes that make the user logout.

Running the example

Export the code as war file and deploy in Tomcat 6. When you will hit the project url, it will show your login form for login the user:

Custom Login Form in Spring Security

Custom Login Form in Spring Security

Enter “scote” as username and “tigger” as password. Spring Security will show the error in login page:

Custom Login Form Errors in Spring Security

Custom Login Form Errors in Spring Security

Then, enter “admin” as username and password. It will show the welcome page with logout option in it.

Spring Security Secure Page with Logout option

Spring Security Secure Page with Logout option

You can also download source and war file of this tutorial from following links.

Source: Download

War: Download

Related Posts:

Leave a Comment Cancel reply

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>