When Spring Security evolved from version 3.2.x to 4.0.0, multiple modifications became required when using XML based configuration, as stated in the Migration reference. After following throught, I'm still struggling with a few issues regarding the new form-login@login-processing-url
attribute. Even though I have specified it to continue using /j_spring_security_check
as path, it keeps the new /login
path active.
I have been using Spring Security along with SpringMVC and began developing with version 3.2.7. I have a Controller mapping the path /login
to a page that shows the login form and depending on possible parameters received shows a certain error message. Below is my controller
@Controller
public class LoginController {
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login(@RequestParam(value = "error", required = false) String error,
@RequestParam(value = "logout", required = false) String logout,
Model model) {
if (error != null) {
model.addAttribute("error", "Usuário e senha inválidos.");
}
if (logout != null) {
model.addAttribute("msg", "Logout bem sucedido.");
}
return "login";
}
}
In version 3.2, my spring-security.xml
file specified the form-login@login-page
parameter to /login
, therefore showing my personalized login form (the same path was used for <logout>
).
Now, even though I have explicitily configured form-login@login-processing-url
, the /login
still redirects to spring security's default login page. Besides it, even though I have also specified a logout@logout-url
attribute, when login out spring still redirects me to the default login-form with the "logout successful" message, instead of my own controller to show my personalized logout message.
When I use the /login?
path, the application shows my own login form, but if I call /login?logout
or /login?error
, which would, respectively, show my logout and error messages, Spring redirects to the default login page.
Question: Is there a way to fully disable the /login
redirection?
I know I could simply change my personalized path to something else instead, such as /signin
and avoid the confusion, but I'm doing it as an exercice to understand more about Spring Security 4.x. Besides, I'm concerned an user typing the URL instead of navigating through links would simply drop on spring's default login page.
Additionally, follows an excerpt of my spring-security.xml
file, already adapted to version 4.x.
<http auto-config="true" use-expressions="true" disable-url-rewriting="true">
<access-denied-handler error-page="/403" />
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/power/**" access="hasRole('ROLE_POWER_USER')" />
<form-login
login-page="/login" <!-- my controller -->
default-target-url="/"
login-processing-url="/j_spring_security_check" <!-- to reproduce 3.2 behaviour -->
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout"
logout-url="/j_spring_security_logout"/>
<headers disabled="true"/>
<csrf disabled="false"/> <!-- I know it could be ommited -->
</http>
UPDATE (04/16/2015): Looks like a bug on version 4.0.0. Check my answer.
What you need to do is implement a custom AuthenticationEntryPoint to turn off login redirect (which is set to default).
Here is some starter reading information:
http://docs.spring.io/spring-security/site/docs/4.0.0.RELEASE/reference/htmlsingle/#auth-entry-point
Here is also a example of how it is implemented:
http://krams915.blogspot.com.au/2010/12/spring-security-mvc-integration-using_26.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With