Spring security Notes 3/4: Custom Login Page

Custom login page

Based on the previous examples, customize the return of authentication.
For requests from browsers, redirect the page to a custom login page.
For requests from other clients (such as APP), authentication results have been returned in Json form.

Implementation steps

1. Copy the source code of the previous example

Rename package name case 2 to case 3

Rename Case2Application.java to Case3Application.java

2. Configure the login page in WebSecurity Config

Configure the formLogin option in the config(HttpSecurity http) method. The following settings need to be included:

  • Release the custom login page url, for example: / login.html;
  • Set the login jump page url, for example: / login.html;
  • Disable csrf protection. If you do not add this item, you need to get the value of csrftoken from the cookie each time and submit it it to the server with the form.

The complete code is as follows:

package net.txt100.learn.springsecurity.base.case3.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

 * Title: WebSecurityConfig
 * Package: net.txt100.learn.springsecurity.base.case3.config
 * Creation date: 2019-08-11
 * Description:
 * @author <a href="zgjt_tongl@thunis.com">Tonglei</a>
 * @since 1.0
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    public PasswordEncoder passwordEncoder() {
        // Configure password protection policy, spring security defaults to bcrypt encryption algorithm.
        // Just declare BCryptPasswordEncoder Bean explicitly here.
        return new BCryptPasswordEncoder();

    protected void configure(HttpSecurity http) throws Exception {

        UsernamePasswordAuthenticationFilter up;

            .csrf().disable() // Turn off CSRF protection, otherwise Post requests are not supported
            .authorizeRequests() // Security configuration for HttpServletRequest
                .antMatchers("/login.html").permitAll() // login.html page can be accessed without login
                .anyRequest().authenticated() // Security certification is required for all Request s
                .loginPage("/login.html") // The browser jumps to the login.html page whenever login is required
                .loginProcessingUrl("/login") // Custom login submission address, default address is / login, default processor is UsernamePassword Authentication Filter
//                 usernameParameter("/phone_number")// Custom login user ID parameter, default is username
//                 passwordParameter("/check_code")// Custom login password parameter, default is password
            .and().httpBasic(); // Defines how to authenticate users, which represents a pop-up browser authentication window

3. Create login.html pages

Create a new directory, src/main/webapp, and create the file login.html under that directory. At least include:

  • form tag, and action assigns the loginProcessingUrl configuration address in WebSecurity Config (default: "/login");
  • Username parameter, which is the same configuration as username parameter in WebSecurity Config (default: "username");
  • Password parameters, consistent with the password parameter configuration in WebSecurity Config (default: "password").

4. Logon Test

  1. Visit http://localhost:8080/user/all, you can see the custom login interface

  2. Enter the correct username and password to access the protected resources


In spring security, developers can customize the login page's

  • Access address
  • Authentication Address
  • Username parameters
  • Password parameters

Finally, don't forget to release access to the login page.

Tags: Programming Spring Java JSON

Posted on Sun, 08 Sep 2019 07:51:15 -0700 by taya