Customize Spring Security Settings
We can customize Spring Security settings to specify our own properties to be used by Spring. In this tutorial we will learn the setting that we can provide to use:
- Our own Login page.
- Specify the page to which the Spring Security will forward the user after logout.
- Put logout options in secure pages.
- Put an extra option of remember me in login form.
- Making a page public.
We will take our previous example of Getting Started with Spring Security and modify the example to do the above specified customization. So, you have not read the previous tutorial of configuring spring security then read from here.
Creating own Spring Security login form (login.jsp)
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Login Page</title>
</head>
<body>
<form name="f" action="<c:url value='/j_spring_security_check'/>" method="POST">
<table>
<tr><td colspan='2'>
<h1>Login</h1>
<c:if test="${not empty param.login_error}">
<font color="red">
Username and Password do not match. Try again.<br/><br/>
</font>
</c:if>
</td></tr>
<tr><td>User:</td><td><input type='text' name='j_username' value='<c:if test="${not empty param.login_error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/></td></tr>
<tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>
<tr><td><input type="checkbox" name="_spring_security_remember_me"></td><td>Don't ask for my password for two weeks</td></tr>
<tr><td colspan='2'><input name="submit" type="submit" value="Login"><input name="reset" type="reset"></td></tr>
</table>
</form>
</body>
</html>
Our login form must have two input boxes with name “j_username” for username and “j_password” for password. Name with “_spring_security_remember_me” checkbox is used when me want to use “remember me” option in our login form. “param.login_error” is the model object to store errors if username or password provided by the user is not valid. We have used this object to show customized error message in login form. “SPRING_SECURITY_LAST_USERNAME” model object stores last username that is invalid.
Changing Spring Security Setting in spring-security.xml
<b:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http realm="Project Realm" auto-config="true">
<intercept-url
pattern="/auth/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_ADMIN"/>
<form-login login-page="/auth/login.jsp"
authentication-failure-url="/auth/login.jsp?login_error=1"/>
<logout logout-success-url="/auth/login.jsp"/>
<remember-me />
</http>
<authentication-manager>
<authentication-provider>
<password-encoder
hash="md5"/>
<user-service>
<user
name="admin" password="21232f297a57a5a743894a0e4a801fc3"
authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</authentication-manager>
</b:beans>
We have modified our spring security configuration file to do the following:
- Defining own login page: We have define our own login form using the tag <form-login/>. login-page attribute is used to specify the page to be show to user for login purpose. authentication-failure-url attribute is used to specify the page to be show if login credentials are invalid.
- Activating “remember me” option: <remember-me /> tag is used to activate the remember me option in spring security. Spring Security will remember the user for two weeks.
- Defining logout page: <logout/> tag is used to define the page on which Spring Security will forward the user after successful logout.
- Making a page public: To make the login.jsp page public we have specified the access attribute as “IS_AUTHENTICATED_ANONYMOUSLY”. That means any one can open this page without authentication.
Creating logout option in secure pages (welcome.jsp)
<a href="<c:url
value="/j_spring_security_logout"/>">Logout</a>
Put the above code in any secure page. The link will make the user logout. “/j_spring_security_logout” url is mapped to Spring Security classes that make the user logout.
That’s All Folks
You may want to run the application now and see the result. I assume you have already configured Tomcat in eclipse. All you need to do:
Open Server view from Windows > Show View > Server. Right click in this view and select New > Server and add your server details.
To run the project, right click on Project name from Project Explorer and select Run as > Run on Server (Shortcut: Alt+Shift+X, R).
Open Server view from Windows > Show View > Server. Right click in this view and select New > Server and add your server details.
To run the project, right click on Project name from Project Explorer and select Run as > Run on Server (Shortcut: Alt+Shift+X, R).
Enter “scote” as username and “tigger” as password. Spring Security will show the error in login page:
Then, enter “admin” as username and password. It will show the welcome page with logout option in it.
0 comments:
Post a Comment