Users can log into a web application using multiple ways supported by Spring Security:
- HTTP basic authentication: These processes the basic credentials presented in the header of the HTTP request. HTTP basic authentication is generally used with stateless clients which pass their credentials on each request.
- Form-based login service: This provides the default login form page for users to log into the web application.
- Logout service: This allows users to log out of this application.
- Anonymous login: This grants authority to an anonymous user like normal user.
- Remember Me support: This remembers a user's identity across multiple browser sessions.
First, we will disable the HTTP autoconfiguration by removing the auto-config attribute from the <http> tag to better understand the different login mechanisms in isolation:
<http>
<intercept-url pattern='/employeeList' access='ROLE_USER,ROLE_ADMIN ' />
<intercept-url pattern='/employeeAdd' access='ROLE_USER' />
<intercept-url pattern='/employeeDelete' access='ROLE_ADMIN' />
</http>The HTTP basic authentication in Spring Security can be configured by using the <http-basic/> element. Here, the browser will display a login dialog for user authentication:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http>
<intercept-url pattern='/employeeList' access='ROLE_USER,ROLE_ADMIN ' />
<intercept-url pattern='/employeeAdd' access='ROLE_USER' />
<intercept-url pattern='/employeeDelete' access='ROLE_ADMIN' />
<!-- Adds Support for basic authentication -->
<http-basic/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="adminpassword" authorities="ROLE_ADMIN" />
<user name="ravisoni" password="mypassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>The interesting thing with HTTP basic authentication is that we don't have to create any login page. The browser will present a login box before the user on our behalf. As each request contains user authentication information that is the same as the HTTP stateless mechanism, we don't need to maintain session.
When we try to access a secured URL in our web application, the browser will open an authentication dialog box automatically for a username and password:
Spring Security supports form-based login service by providing the default login form page for users to input their login details. The <form-login> element defines the support for the login form, as shown in the following code snippet. By default, a login form, which will map to the /spring_security_login URL, will automatically be created by Spring Security, as shown here:
<http>
. . .
<!-- Adds Support for basic authentication -->
<form-login />
</http>We can also create our own custom login page (login.jsp) in the root directory of the web application. This should not go inside WEB-INF as it prevents users from accessing it directly. The form action URL in login.jsp will take the j_spring_security_check value; this is the URL where the form will be posted to trigger the authentication process, and j_username is used as the username and j_password is used as the password, as shown in the following code snippet:
<html>
<head>
<title>Login</title>
</head>
<body>
<form action="j_spring_security_check" method='POST'>
<table>
<tr>
<td>UserName:</td>
<td><input type='text' name='j_username' value=''></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='j_password' /></td>
</tr>
<tr>
<td>Remember me:</td>
<td><input type='checkbox' name='_spring_security_remember_me' /></td>
</tr>
<tr>
<td><input name="submit" type="submit" value="submit" /></td>
</tr>
</table>
</form>
</body>
</html>While referring to the custom login page for Spring Security, we need to specify its URL in the login-page attribute of <form-login/>. As shown in following code snippet, <form-login login-page="/login" authentication-failure-url="/loginfailed" default-target-url="/employeeList" /> defines that when the login button is clicked, it should be navigated to /login. The default target URL is defined as /employeeList; this means when a user is authenticated, this URL hits by default. When an authentication failure happens, it should navigate to /loginfailed:
<http>
. . .
<form-login login-page="/login" authentication-failure-url="/loginfailed" default-target-url="/employeeList" />
</http>The logout service handles logout requests and is configured via the <logout> element. In Spring Security, by default, it is mapped to the /j_spring_security_logout URL, and it redirects the user to the context path's root when the logout successful:
<http> . . . <logout /> </http>
We can provide the logout link in our page by referring the URL <a href="/j_spring_security_logout"> Logout </a>.
We can also configure log out so that the user is redirected to another URL after the logout is successful, as shown in the following code snippet:
<http> . . . <logout logout-success-url="/login" /> </http>
The <anonymous> element is used to configure anonymous login service, where the username and authority of the anonymous user can be configured:
<http>
<intercept-url pattern='/employeeList' access='ROLE_USER,ROLE_ADMIN,ROLE_GUEST ' />
<intercept-url pattern='/employeeAdd' access='ROLE_USER' />
<intercept-url pattern='/employeeDelete' access='ROLE_ADMIN' />
. . .
<anonymous username='guest' granted-authority='ROLE_GUEST' />
</http>The <remember-me /> element is used to configure the Remember Me support in Spring Security. By default, it encodes authentication information and the Remember Me expiration time along with private key as a token. It stores this to the user's browser cookie. The next time a user accesses the same application, they can be log in automatically using the token:
http> . . . <remember-me /> </http>