Customizing Spring Security

Customize Spring Security Settings

We can customize Spring Security settings to specify our own properties to be used by Spring. In this tutorial we will learn the setting that we can provide to use:

1. Our own Login page.
2. Specify the page to which the Spring Security will forward the user after logout.
3. Put logout options in secure pages.
4. Put an extra option of remember me in login form.
5. Making a page public.

We will take our previous example of Getting Started with Spring Security and modify the example to do the above specified customization. So, you have not read the previous tutorial of configuring spring security then read from here.

Creating own Spring Security login  form (login.jsp)

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"

    pageEncoding="ISO-8859-1"%>

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<title>Login Page</title>

</head>

<body>

<form name="f" action="<c:url value='/j_spring_security_check'/>" method="POST">

      <table>

<tr><td colspan='2'>

<h1>Login</h1>

<c:if test="${not empty param.login_error}">

<font color="red">

Username and Password do not match. Try again.<br/><br/>

</font>

</c:if>

</td></tr>

        <tr><td>User:</td><td><input type='text' name='j_username' value='<c:if test="${not empty param.login_error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/></td></tr>

        <tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>

        <tr><td><input type="checkbox" name="_spring_security_remember_me"></td><td>Don't ask for my password for two weeks</td></tr>

        <tr><td colspan='2'><input name="submit" type="submit" value="Login"><input name="reset" type="reset"></td></tr>

      </table>

    </form>

</body>

</html>

Our login form must have two input boxes with name “j_username” for username and “j_password” for password. Name with “_spring_security_remember_me” checkbox is used when me want to use “remember me” option in our login form. “param.login_error” is the model object to store errors if username or password provided by the user is not valid. We have used this object to show customized error message in login form. “SPRING_SECURITY_LAST_USERNAME” model object stores last username that is invalid.

Changing Spring Security Setting in spring-security.xml

<b:beans xmlns="http://www.springframework.org/schema/security"

    xmlns:b="http://www.springframework.org/schema/beans"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    

    <http realm="Project Realm" auto-config="true">

            <intercept-url pattern="/auth/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

        <intercept-url pattern="/**" access="ROLE_ADMIN"/>

        <form-login login-page="/auth/login.jsp" authentication-failure-url="/auth/login.jsp?login_error=1"/>

        <logout logout-success-url="/auth/login.jsp"/>

        <remember-me />

    </http>

    <authentication-manager>

        <authentication-provider>

            <password-encoder hash="md5"/>

            <user-service>

                        <user name="admin" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_ADMIN"/>

            </user-service>

        </authentication-provider>

    </authentication-manager>

    

</b:beans>

We have modified our spring security configuration file to do the following:

1. Defining own login page: We have define our own login form using the tag <form-login/>. login-page attribute is used to specify the page to be show to user for login purpose. authentication-failure-url attribute is used to specify the page to be show if login credentials are invalid.
2. Activating “remember me” option: <remember-me /> tag is used to activate the remember me option in spring security. Spring Security will remember the user for two weeks.
3. Defining logout page: <logout/> tag is used to define the page on which Spring Security will forward the user after successful logout.
4. Making a page public: To make the login.jsp page public we have specified the access attribute as “IS_AUTHENTICATED_ANONYMOUSLY”. That means any one can open this page without authentication.

Creating logout option in secure pages (welcome.jsp)

<a href="<c:url value="/j_spring_security_logout"/>">Logout</a>




Put the above code in any secure page. The link will make the user logout. “/j_spring_security_logout” url is mapped to Spring Security classes that make the user logout.

That’s All Folks

You may want to run the application now and see the result. I assume you have already configured Tomcat in eclipse. All you need to do:
Open Server view from Windows > Show View > Server. Right click in this view and select New > Server and add your server details.
To run the project, right click on Project name from Project Explorer and select Run as > Run on Server (Shortcut: Alt+Shift+X, R).

Enter “scote” as username and “tigger” as password. Spring Security will show the error in login page:

Then, enter “admin” as username and password. It will show the welcome page with logout option in it.

Download Source Code

Click here to download the source code