What is the use case for overriding default login-processing-url in spring security

Question

Here is a sample config for spring security form login

<http auto-config="true" use-expressions="false">
      <form-login login-processing-url="/static/j_spring_security_check"
                  login-page="/login"
                  authentication-failure-url="/login?login_error=t"/>
  </http>

Now if I dont specify any explicit login-processing-url spring assumes it as only "/j_spring_security_check". I could not find any type of functional difference between default and the overridden one and found spring handles the change seamlessly. I tried to do google to understand when should we override it. None of the answer satisfied me.

So when and why should we override the default login-processing-url? And most importantly is there any usecase when we "must" override the default?

Thanks

Answer 1

If you want to hide the fact that you are using Spring Security, you should override the login-processing-url to something like "forms/login", as well as the username and password form parameters. This help hide the framework that you are using to secure your site.

The <form-login> tag is a short hand for configuring the UsernamePasswordAuthenticationFilter. This filter will only be invoked by the URL specified in login-processing-url and will use the value set for username-parameter and password-parameter as the username and password from the request.