How to process a form login using Spring Security / Spring MVC

Question

Simple question, I just need a pointer in the right direction:

I have a simple Spring MVC/Spring Security webapp. Initially I set up Spring Security so that the default login page shows and authenticates properly (I implemented the UserDetailsService with the DaoAuthenticationProvider to do this).

Next step: replace the default spring login page with my login page and post the credentials.

But what do I do with the submitted login credentials? I assume I post the form to a controller, verify the credentials, but I'm not clear what the right step is after that. E.g.:

• Am I calling a method of AuthenticationManager?
• Do I need to define a bean for this?
• Is there an interface/service I need to implement like an AuthenticationEntryPoint or something?

I've hit the docs 3 times over and don't quite follow them. I know this is dirt simple, so I just need to hear how the process should flow.

Answer 1

I'll add a clarifying answer for anyone reading this in the future:

When you define the tag in spring security it will handle the login for you, I'll go over how it works in detail (wish it were this detailed in the docs):

<security:http auto-config="true">
    <security:form-login login-page="/login"
         login-processing-url="/postlogin"
         default-target-url="/myaccount"
         authentication-failure-url="/login?loginError=true" />
    <security:logout logout-url="/logout" />
</security:http>

The login-page is the url of the login page. You should have a controller (or static HTML page) that serves this page, it's your pretty login form.

The login-processing-url is a URL which the form-login component handles. It's as if the form-login component implemented its own controller for this page. You should post your form to this page. You also need to know to name your username/password parameters "j_username" and "j_login"

Beyond this, and the rest of the reasonably obvious options above, you should have implemented a UserDetailsService - that is, create a class and implement the interface UserDetailsService which gets, and returns, a UserDetails object (username/password) for a given username - and provide that UserDetails object with the rest of the security configuration:

<security:authentication-manager>
        <security:authentication-provider ref="daoAuthenticationProvider" />
</security:authentication-manager>

<bean id="daoAuthenticationProvider"
    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
    <property name="userDetailsService" ref="myAuthorizationService" />
</bean>

Answer 2

Spring Security reference documentation outlines the basic processing flow in 5.4 Authentication in a Web Application. There is point #6:

Next the server will decide whether or not the presented credentials are valid. If they're valid, the next step will happen. If they're invalid, usually your browser will be asked to try again (so you return to step two above).

...

Spring Security has distinct classes responsible for most of the steps described above. The main participants (in the order that they are used) are the ExceptionTranslationFilter, an AuthenticationEntryPoint and an “authentication mechanism”, which is responsible for calling the AuthenticationManager which we saw in the previous section.

I have to admit, the documentation here is a bit confusing so I will give you some more pointers - the "authentication mechanism" mentioned here is the thing you are after, it is responsible for processing the credentials that the browser is sending.

As the details of attaching the credentials to HTTP request(s) vary greatly among different authentication methods (form data vs. plain headers vs. digest headers), there is no common "authentication mechanism" - instead, each method implements its own mechanism and in the case of web-based authentication, it is typically a special filter that you have to configure in web.xml.

In your case, you are most probably interested in UsernamePasswordAuthenticationFilter - this is used for processing basic form-based login information. The contract between your custom login form and the filter is the URL (where form is posted) + username and password field names:

The login form simply contains j_username and j_password input fields, and posts to the URL that is monitored by the filter (by default this is /j_spring_security_check).

Answer 3

<security:http auto-config="true">
  <security:form-login login-page="/login"
   login-processing-url="/postlogin"
    default-target-url="/myaccount"
     authentication-failure-url="/login?loginError=true" />
  <security:logout logout-url="/logout" />
</security:http>

login-page is the login form URL login-processing-url is the url where login form is submitted. Spring will give a self call the authentication-manager mapped by you in security.xml file.

Process

1. You need to write a class that implements org.springframework.security.authentication.AuthenticationProvider with overriden method Authentication authenticate(Authentication authentication)
2. Second class that extends org.springframework.security.core.userdetails.UserDetailsService with a overridden method loadUserByUsername(String username)
3. The second class form where you can call your DAO and validate user with database fetching username and password.
4. In Authentication authenticate(Authentication authentication) you will compare the password and return success failure your are done.

Answer 4

See the posting by limc in response to Ritesh's answer at Configuring Spring Security 3.x to have multiple entry points Look at the sections titled:

UPDATE 01-29-2011 - @Ritesh's technique
UPDATE - SOLUTION to @Ritesh's technique

It is a concise, advanced good example of how you can customize the login process in Spring Security

Answer 5

If you're using a JDBC accessible database, then you could use the following authentication-provider and avoid creating a custom one. It cuts down the code required to 9 lines of XML:

<authentication-provider>
    <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password from users where username=?" authorities-by-username-query="select u.username, r.authority from users u, roles r where u.userid = r.userid and u.username =?" />
</authentication-provider>

You can then setup your dataSource as follows

<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <property name="driverClassName" value="com.mysql.jdbc.Driver" />
    <property name="url" value="jdbc:mysql://localhost:3306/DB_NAME" />
    <property name="username" value="root" />
    <property name="password" value="password" />
</bean>

Have a look at this post: http://codehustler.org/blog/spring-security-tutorial-form-login/ It covers everything you need to know about customising Spring Security form-login.

Answer 6

We are talking about the same problem more and less, this is my approach let's see what people will say.