I am using Spring Security to my application and here is the security part which authenticates the user but the login page is given by Spring Security:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/home*").hasRole("USER")
.and()
.formLogin();
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user")
.password("password")
.roles("USER")
}
}
Instead of Spring's login page I want to use my login page which is below:
login.html
:
<html lang='en'>
<head>
<title>WebApp</title>
<meta charset='utf-8' />
<script src="https://code.jquery.com/jquery-1.11.3.min.js"></script>
<link rel="stylesheet" type="text/css" href="css/bootstrap.css" />
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.2/css/bootstrap.min.css" />
<link rel="stylesheet" href="css/login.css" />
</head>
<body>
<div class="login-page">
<img src='img/taxi_.jpg' style='width: 180px; margin-left: auto; margin-right: auto; display: block; padding-top: 20px; padding-bottom:20px;' />
<div class="heading">
<center>Dashboard</center>
</div>
<div class="form">
<form action ="home.html" class="register-form">
<input type="text" placeholder="name"/>
<input type="password" placeholder="password"/>
<input type="text" placeholder="email address"/>
<button>create</button>
<p class="message">Already registered? <a href="#">Sign In</a></p>
</form>
<form action="home.html" class="login-form">
<input type="text" placeholder="username"/>
<input type="password" placeholder="password"/>
<button id="button_login">login</button>
<p class="message">Not registered? <a href="#">Create an account</a></p>
</form>
</div>
</div>
</body>
</html>
How can I use my custom login page to be shown instead of Spring Security's login page?
Spring security secures all HTTP endpoints by default. A user has to login in a default HTTP form. To enable Spring Boot security, we add spring-boot-starter-security to the dependencies.
Just want to pinpoint a few moments that were not clarified here.
First of all, .loginPage("/login.html")
won't do the trick (it didn't in my case anyway). What is in quotes here is an URL path that will be searched for in your controller. Here is the snippet from my security config file:
.formLogin().loginPage("/login")
.loginProcessingUrl("/authentication").permitAll();
Here I wrote "/login"
. So now in your controller define that the /login
path should point to your login.html
page.
@GetMapping("/login")
public String login() {
return "login";
}
Only then it should redirect to the required view page. I usually place view pages under the /webapp/WEB-INF/view
folder.
P.S. I hope you configured your ViewResolver
bean right, cos otherwise it won't work :)
.antMatchers("/resources/**").permitAll()
So, in the end it will be like that (very short and creepy version, but your custom login should work):
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.loginProcessingUrl("/authentication").permitAll();
}
FYI, place your resources under /webapp/resources/
. Also, you should configure your resource handler in your spring configuration file.
Here is also a nice link to wrap your head around it: Creating a Custom Login Form: Grant access to remaining resources
See Spring Security Reference:
While the automatically generated log in page is convenient to get up and running quickly, most applications will want to provide their own log in page. To do so we can update our configuration as seen below:
protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") 1 .permitAll(); 2 }
1 The updated configuration specifies the location of the log in page.
2 We must grant all users (i.e. unauthenticated users) access to our log in page. The formLogin().permitAll() method allows granting access to all users for all URLs associated with form based log in.
Your modified code:
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/home*").hasRole("USER")
.and()
.formLogin()
.loginPage("/login.html")
.permitAll();
}
httpSecurity.authorizeRequests()
.antMatchers("/home*").hasRole("USER").and()
.formLogin()
.loginPage("/login.html")
.permitAll();
loginFormUrl
must be started with "/" or a absolute url. and make sure the request /login.html
can be handled right.
BTW: if you didn't config the processing url, the processing url will be same with login page
(/login.html
) url with post
method, but in your login page, the action url is /home.html
, please config the processing url to '/home.html'
.formLogin()
.loginProcessingUrl("/home.html")
.loginPage("/login.html")
.permitAll();
And CSRF
is enabled by default, I can't find any CSRF
token in your login form. you can disable csrf or request with token.
http.csrf().disable();
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With