Spring Security Form Login
Following is a quick guide to create login page and logout. Let's assume that we have a home page that can be accessed only by the members of the website.
1. Create the Spring boot application:
The application is executed on windows.
Technologies used in this article :
- Spring boot
- Spring security
The creation of spring using spring boot and Maven is explained here http://mkaroune.e-monsite.com/pages/spring-boot-hiberante-project/project-creation.html. You do not need to add all the dependencies as shown in the article. Only DevTools, Web, Security and Thymeleaf are needed in this example. Netherless, ws have to add the Thymeleaf Layout Dialect dependency to reuse header on all Thymeleaf templates.
<dependency> <groupId>nz.net.ultraq.thymeleaf</groupId> <artifactId>thymeleaf-layout-dialect</artifactId> </dependency>
Bellow is the project structure.
The auto-generation pom.xml file:
Spring Security Java Configuration:
We create the spring security java configuration class by extending the WebSecurityConfigurerAdapter. We add also two important annotations to this class
In this example, we use only in-memory authentication for sample application. Otherwise, we use security with database. We created a temporary user with username "user" and password "root".
Line 33-40: We use InMemoryUserDetailsManager and UserDetails to create a user and password
Line 33-35: We require authentification for all the pages in the appliation
"/", "/home" .
Line 37 - 40: We define the login page and we allow the access by all the users.
For the formLogin() we can customize the default spring configuration using the following method:
.defaultSuccessUrl("/homepage.html", true)Instead of the default redirect page to "/", we can specify the redirection to the home page "/homepage.htm"
.failureUrl("/loginError.html")The Login Failure Page is autogenerated by Spring Security at /login?error by default. You can use thes method to customize it
.usernameParameter("email")By default, Spring security uses the username attribute for authentification. If you want to use the attribute, for example, email instead. You should use this method indicating the right attribute.
Line 41-42: To logout and it will redirect to login page in this example.
Note that if we have different pages and we want to allow access only to
"/", "/home"without authentification, we do as follow:
http .authorizeRequests() .antMatchers("/", "/home").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
It can be accessed only after login with success