Here is a sample config for spring security form login
<http auto-config="true" use-expressions="false">
<form-login login-processing-url="/static/j_spring_security_check"
login-page="/login"
authentication-failure-url="/login?login_error=t"/>
</http>
Now if I dont specify any explicit login-processing-url spring assumes it as only "/j_spring_security_check". I could not find any type of functional difference between default and the overridden one and found spring handles the change seamlessly. I tried to do google to understand when should we override it. None of the answer satisfied me.
So when and why should we override the default login-processing-url? And most importantly is there any usecase when we "must" override the default?
Thanks
If you want to hide the fact that you are using Spring Security, you should override the login-processing-url
to something like "forms/login", as well as the username and password form parameters. This help hide the framework that you are using to secure your site.
The <form-login>
tag is a short hand for configuring the UsernamePasswordAuthenticationFilter. This filter will only be invoked by the URL specified in login-processing-url
and will use the value set for username-parameter
and password-parameter
as the username and password from the request.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With