Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why doesn't my custom login page show with Spring Security 4?

I am able to use a custom login page with Spring Security 3.2.4, but after migrating with the code below using 4.0.0, I see a generic login form instead of my custom one:

  <beans:bean id="authSuccessHandler" class="com.company.web.RoleBasedAuthenticationSuccessHandler" />

  <http disable-url-rewriting="false" use-expressions="true">
    <form-login login-page="/login"
        username-parameter="j_username"
        password-parameter="j_password"
        login-processing-url="/j_spring_security_check"
        authentication-failure-url="/login?login_error=true"
        authentication-success-handler-ref="authSuccessHandler"/>
    <!-- SOME INTERCEPT-URLs (redacted) -->
    <intercept-url pattern="/login" access="permitAll"/>
    <remember-me 
         remember-me-parameter="_spring_security_remember_me"
         remember-me-cookie="SPRING_SECURITY_REMEMBER_ME_COOKIE"/>
    <logout 
         logout-url="/j_spring_security_logout" 
         logout-success-url="/index" />
  </http>

I also tried enabling debug logging on the various Spring classes. I set it on my custom authSuccessHandler, but I don't see any output from it. No luck with searching on SO or Google either.

Is there anything incompatible about this configuration?

Update:

I'm also using Apache Tiles as so:

  <definition name="login" extends="scrollableLayout">
    <put-attribute name="header" value="/WEB-INF/jsp/heading_blue.jsp"/>
    <put-attribute name="body" value="/WEB-INF/jsp/login.jsp"/>
  </definition>

And using the following:

  <mvc:view-controller path="/login" />  
like image 684
vphilipnyc Avatar asked Apr 12 '15 21:04

vphilipnyc


1 Answers

Spring Security 3.x used spring_security_login as the default login URL (source: official documentation). This could be set to a custom value as <security:form-login login-page="/login"> and mapped to a controller to render a custom page.

Spring Security 4.x has abandoned spring_security_login and switched to login as the default login URL (source: official Spring Security 4.x migration guide). Therefore, the URL login now goes to the default Spring Security infrastructure, that displays the default, auto-generated login page.

The remedy is simple if you are using JSP as the view rendering technology. Simply rename your login page to login.jsp, drop it in the root folder of the page hierarchy and Spring Security will pick it up automatically. If you are not using JSP, you will have to use a different login-page value (perhaps signin instead of login and then change your controller mapping as well.

Note that the default logout URL has also changed in 4.x. If you have any custom logic written for the logout URL, do make sure to review that as well.

Do review the official migration guide as a lot of things have changed in 4.x.

like image 120
manish Avatar answered Nov 14 '22 23:11

manish