Announcement Announcement Module
Collapse
No announcement yet.
Login form question Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Login form question

    Hello.

    I just set up Spring security in a project of mine and it worked great, at least until i wanted to have my own login page (using the auto-generated one, it works fine). I am using Spring 3.1. and i set up my security content like this:

    Code:
    	<http use-expressions="true" auto-config="true">
    	    <intercept-url pattern="/login.htm" access="permitAll" />
    	    <intercept-url pattern="/submitCustomer.htm" access="permitAll" />
    	    <intercept-url pattern="/lostPassword.htm" access="permitAll" />
    	    <intercept-url pattern="/emailVerification.htm" access="permitAll" />
    	    <intercept-url pattern="/static/**" access="permitAll" />
    	    <intercept-url pattern="/graphics/**" access="permitAll" />
    	    <intercept-url pattern="/css/**" access="permitAll" />
    	    <intercept-url pattern="/updateCustomer.htm" access="hasRole('ROLE_USER')" />
    	    <intercept-url pattern="/updatePassword.htm" access="hasRole('ROLE_USER')" />
    	    <intercept-url pattern="/**" access="denyAll" />
      	    <form-login login-page="/login.htm" />   
    	    <http-basic />
    	</http>
    In my web.xml, i have filter proxy set up like this:
    Code:
    	<filter>
    	    <filter-name>springSecurityFilterChain</filter-name>
    	    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    	</filter>
    	
    	<filter-mapping>
    	  <filter-name>springSecurityFilterChain</filter-name>
    	  <url-pattern>/*</url-pattern>
    	</filter-mapping>
    From reading the logs, i can see that:
    1. It picks up my request (.../updatePassword.htm) and decides that ROLE_ANONYMOUS is not enough.
    2. I get redirected to authentication entry point and an AccessDeniedException exception is thrown.
    3. I get redirected to the login.htm page
    4. I get passed throught the filter chain, filters 1 through 10
    5. login.htm gets successfully matched with login.htm in the intercept-url pattern
    6. the GET request for login.htm then ends up in my DispatcherServlet, where the controller mapping drops it because i don't have a controller that handles requests to login.htm. I assume this is my problem. I really don't expect that i should have to set up a controller to handle the login just because i want my own login page, right? What component should pick up the redirect and how do i set that up?

    So can someone out there tell me what i am missing or at least point me in the right direction?

  • #2
    If you are wanting a custom login page you are in charge of processing the login url. In this instance since you are using Spring MVC you would need to create a controller.

    Comment


    • #3
      Oh really..? I thought the point of having a standard post action ("j_spring_security_check") and standard field names ("j_username" and "j_password") was that i could just replace the view with one of my own and have the standard components handle everything behind the scenes.

      Comment


      • #4
        OK, so i set up a controller to show the login page. It's very basic so far. It displays the form fine but when i submit, the action is not handled anywhere:
        Code:
        <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
            pageEncoding="ISO-8859-1"%>
        <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
        <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
        <%@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %>
         
        <html>
          <head>
            <title>Login</title>
          </head>
         
          <body>
            <h1>Login</h1>
         
            <form name="f" action="<c:url value='j_spring_security_check'/>" method="POST">
              <table>
                <tr>
                  <td>User:</td>
                  <td><input type='text' name='j_username'></td>
                </tr>
                <tr>
                  <td>Password:</td>
                  <td><input type='password' name='j_password'></td>
                </tr>
         
                <tr><td colspan='2'><input name="submit" type="submit"></td></tr>
                <tr><td colspan='2'><input name="reset" type="reset"></td></tr>
              </table>
            </form>
          </body>
        </html>
        Reading the documentation, i came to the conclusion that configuring the <form-login> would add a UsernamePasswordAuthenticationFilter for me and that this filter would handle the "j_spring_security_check" action from the form, but the logs show no such logic. My security context now looks like this:
        Code:
        <beans:beans xmlns="http://www.springframework.org/schema/security"
            xmlns:beans="http://www.springframework.org/schema/beans"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        	xmlns:security="http://www.springframework.org/schema/security"
            xsi:schemaLocation="http://www.springframework.org/schema/beans 
                            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                            http://www.springframework.org/schema/security 
                            http://www.springframework.org/schema/security/spring-security-3.1.xsd">
        
            <!-- Empty filter chain for the login page -->
        	<http pattern="/services/**" security="none"/>
        	<http pattern="/css/**" security="none"/>
        	<http pattern="/images/**" security="none"/>
        
        	<http use-expressions="true" auto-config="true">
        	    <intercept-url pattern="/login.htm" access="permitAll" />
        	    <intercept-url pattern="/submitCustomer.htm" access="permitAll" />
        	    <intercept-url pattern="/lostPassword.htm" access="permitAll" />
        	    <intercept-url pattern="/emailVerification.htm" access="permitAll" />
        	    <intercept-url pattern="/static/**" access="permitAll" />
        	    <intercept-url pattern="/graphics/**" access="permitAll" />
        	    <intercept-url pattern="/css/**" access="permitAll" />
        	    <intercept-url pattern="/updateCustomer.htm" access="hasRole('ROLE_USER')" />
        	    <intercept-url pattern="/updatePassword.htm" access="hasRole('ROLE_USER')" />
        	    <intercept-url pattern="/**" access="denyAll" />
          	    <form-login login-page="/login.htm" authentication-failure-url="/login.htm?login_error=1" login-processing-url="/j_spring_security_check"/>   
        	    <http-basic />
        	</http>
        
          <authentication-manager>
            <authentication-provider>
                <jdbc-user-service data-source-ref="dataSource"
                    authorities-by-username-query="select cust.email as username, auth.authority from customers as cust, authorities as auth where cust.email = ? and auth.username = cust.email"
                    users-by-username-query="select email as username, password, enabled from customers where email= ?" />
            </authentication-provider>
          </authentication-manager>
        
        </beans:beans>
        Last edited by weedobooty; Feb 28th, 2012, 04:56 AM. Reason: typo

        Comment


        • #5
          As you mentioned in your most recent post, rendering the form used to submit the username password is different than what is used to process the submitted username and password. If you override the login-url then you are in charge of rendering the login form and following the conventions will allow Spring Security to validate the submitted username and password and authenticate the user.

          I would suggest you run through some of the working sample applications.

          Comment


          • #6
            I have not seen a single sample application that does this. If someone could point me to one, i'd be more than happy to find the solution myself.

            Comment


            • #7
              You have not seen a single sample that creates a custom login page? Am I misunderstanding what you are looking for? If you are looking for a custom login page, look at the samples provided by Spring Security.

              Comment


              • #8
                I solved this by removing something (i thought) totally unrelated from my web.xml, that i had put there while experimenting with a solution for static content.

                Also, i found the sample code you referred to and that helped. Thanks.

                In the end, implementing Spring security worked pretty much exactly as i had expected.

                Comment

                Working...
                X