Customize Spring Security Authentication

0
votes

I am trying to integrate Spring security for my login form, and I have a trouble to understand on how spring security validates an database login:

So I have configured spring-security like this:

<http auto-config="true"  use-expressions="true">
        <intercept-url pattern="/login" access="permitAll"/>
        <intercept-url pattern="/logout" access="permitAll"/>
        <intercept-url pattern="/denied" access="hasRole('ROLE_USER')"/>
        <intercept-url pattern="/" access="hasRole('ROLE_USER')"/>
        <intercept-url pattern="/user" access="hasRole('ROLE_USER')"/>
        <intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')"/>

        <form-login login-page="/login" 
            authentication-failure-url="/login/failure" 
            default-target-url="/"/>

        <access-denied-handler error-page="/denied"/>

        <logout invalidate-session="true" 
            logout-success-url="/logout/success" 
            logout-url="/logout"/>
    </http>

    <authentication-manager>
        <authentication-provider user-service-ref="loginManager" >
            <password-encoder hash="bcrypt" />
        </authentication-provider>
    </authentication-manager>

And this is my form;

<c:url var="loginUrl" value="/login"/>
<form method="post" action="${loginUrl}">
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
    <div class="form_field">
        <label for="login_name">Username / Email</label><br/>
        <input class="field" id="login_name" type="text" name="username" autocomplete="off" />
    </div>
    <div class="form_field">
        <label for="password">Password</label><br/>
        <input class="field" id="password" type="password" name="password" />
    </div>
</form>

And this is my controller:

    @RequestMapping("/login")
    public String login(Model model, @RequestParam(required=false) String message) {
        model.addAttribute("message", message);
        LOGGER.info("Login");
        return "/login";
    }

    @RequestMapping(value = "/denied")
    public String denied() {
        LOGGER.info("DENIE");
        return "/login";
    }

    @RequestMapping(value = "/login/failure")
    public String loginFailure() {
        String message = "Login Failure!";
        return "redirect:/login?message="+message;
    }

    @RequestMapping(value = "/logout/success")
    public String logoutSuccess() {
        String message = "Logout Success!";
        return "redirect:/login?message="+message;
    }
  1. I dont understand that do we need to call @RequestParam to get the string of username and password, or Spring will do it for use since I have informed spring where my login page is in the configuration?

This is my service implements UserDetailsService:

@Override
@Transactional(readOnly=true)
public UserDetails loadUserByUsername(String name)
        throws UsernameNotFoundException {
    LOGGER.info("Verify Customer's Account");
    Login login = loginDao.getLoginByName(name.toLowerCase());

    return new User(login.getName(), login.getPassword(),
            true, true, true, true, 'ROLE_USER')));
}
  1. Since my service implements UserDetailsService which I have to override the method loadUserByUserName(name). I wonder how I can verify the account with the password as well, or Spring also takes care of it for me (How will it work internally?)?

Thank for your response.

1
javaspring-mvcspring-security

1 Answers

0
votes

You need to differentiate login page and login processing URL. The login page is your login form. The login processing URL receives the input from the user and authenticates the user. Spring Security will do the later for you, the default URL you should post your form to is /j_spring_security_check and your fields should be named j_username and j_password (using default parameter names).

Your UserDetailsService should not authenticate (i.e. check if password is correct), Spring Security will do this for you.