Spring Security – Custom Form Login with Example
Spring Security is a framework that allows a programmer to use JEE components to set security limitations on Spring-framework-based Web applications. In a nutshell, it’s a library that can be utilized and customized to suit the demands of the programmer. Because it is a part of the same Spring family as Spring Web MVC, it works well together. The most significant benefit of this framework is that it is both strong and very adaptable. Although it adheres to Spring’s set-up conventions, programmers may select between default provisions and modify them to their specific requirements. Read more on Spring Security and its Features in this article Introduction to Spring Security and its Features.
Spring Security provides its own built-in login module to authenticate the user. It validates the user credentials and provides accessibility to the application. But what if we want to customize the login page then how to do it? So we can do it by creating our own jsp login page and integrating it into the application.
Example Project
In this article, we will explain how to create our custom login form and authenticate the users. We’re going to build on top of the simple Spring MVC example.
Step 1: Create Your Project and Configure Apache Tomcat Server
Note: We are going to use Spring Tool Suite 4 IDE for this project. Please refer to this article to install STS in your local machine How to Download and Install Spring Tool Suite (Spring Tools 4 for Eclipse) IDE.
- Create a Dynamic Web Project in your STS IDE. You may refer to this article to create a Dynamic Web Project in STS: How to Create a Dynamic Web Project in Spring Tool Suite?
- Configure Apache Tomcat Server and configure the Tomcat Server with the application. Now we are ready to go.
Step 2: Folder Structure
Before moving to the project let’s have a look at the complete project structure for our Spring MVC application.
Step 3: Add Dependencies to pom.xml File
Add the following dependencies to your pom.xml file
- Spring Web MVC
- Java Servlet API
- Spring Security Config
- Spring Security Web
XML
< dependencies > <!-- https://mvnrepository.com/artifact/org.springframework/spring-webmvc --> < dependency > < groupId >org.springframework</ groupId > < artifactId >spring-webmvc</ artifactId > < version >5.3.24</ version > </ dependency > <!-- https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api --> < dependency > < groupId >javax.servlet</ groupId > < artifactId >javax.servlet-api</ artifactId > < version >4.0.1</ version > < scope >provided</ scope > </ dependency > <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config --> < dependency > < groupId >org.springframework.security</ groupId > < artifactId >spring-security-config</ artifactId > < version >5.7.3</ version > </ dependency > <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web --> < dependency > < groupId >org.springframework.security</ groupId > < artifactId >spring-security-web</ artifactId > < version >5.7.3</ version > </ dependency > </ dependencies > |
Below is the complete pom.xml file. Please cross-verify if you have missed some dependencies.
XML
<? xml version = "1.0" encoding = "UTF-8" ?> < project xmlns = "http://maven.apache.org/POM/4.0.0" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation = "http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" > < modelVersion >4.0.0</ modelVersion > < groupId >com.gfg.springsecurity</ groupId > < artifactId >springsecurity</ artifactId > < version >0.0.1-SNAPSHOT</ version > < packaging >war</ packaging > < name >springsecurity Maven Webapp</ name > <!-- FIXME change it to the project's website --> < url >http://www.gfg.com</ url > < properties > < project.build.sourceEncoding >UTF-8</ project.build.sourceEncoding > < maven.compiler.source >1.7</ maven.compiler.source > < maven.compiler.target >1.7</ maven.compiler.target > </ properties > < dependencies > <!-- https://mvnrepository.com/artifact/org.springframework/spring-webmvc --> < dependency > < groupId >org.springframework</ groupId > < artifactId >spring-webmvc</ artifactId > < version >5.3.24</ version > </ dependency > <!-- https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api --> < dependency > < groupId >javax.servlet</ groupId > < artifactId >javax.servlet-api</ artifactId > < version >4.0.1</ version > < scope >provided</ scope > </ dependency > <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config --> < dependency > < groupId >org.springframework.security</ groupId > < artifactId >spring-security-config</ artifactId > < version >5.7.3</ version > </ dependency > <!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web --> < dependency > < groupId >org.springframework.security</ groupId > < artifactId >spring-security-web</ artifactId > < version >5.7.3</ version > </ dependency > </ dependencies > < build > < finalName >springsecurity</ finalName > < pluginManagement > <!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) --> < plugins > < plugin > < artifactId >maven-clean-plugin</ artifactId > < version >3.1.0</ version > </ plugin > <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging --> < plugin > < artifactId >maven-resources-plugin</ artifactId > < version >3.0.2</ version > </ plugin > < plugin > < artifactId >maven-compiler-plugin</ artifactId > < version >3.8.0</ version > </ plugin > < plugin > < artifactId >maven-surefire-plugin</ artifactId > < version >2.22.1</ version > </ plugin > < plugin > < artifactId >maven-war-plugin</ artifactId > < version >3.2.2</ version > </ plugin > < plugin > < artifactId >maven-install-plugin</ artifactId > < version >2.5.2</ version > </ plugin > < plugin > < artifactId >maven-deploy-plugin</ artifactId > < version >2.8.2</ version > </ plugin > </ plugins > </ pluginManagement > </ build > </ project > |
Step 4: Configuring Dispatcher Servlet
Please refer to this article What is Dispatcher Servlet in Spring? and read more about Dispatcher Servlet which is a very very important concept to understand. Now we are going to configure Dispatcher Servlet with our Spring MVC application.
Go to the src > main > java and create a class WebAppInitilizer. Below is the code for the WebAppInitilizer.java file.
File: WebAppInitilizer.java
Java
package com.gfg.config; import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer; public class WebAppInitilizer extends AbstractAnnotationConfigDispatcherServletInitializer { @Override protected Class<?>[] getRootConfigClasses() { // TODO Auto-generated method stub return null ; } @Override protected Class<?>[] getServletConfigClasses() { Class[] configFiles = {MyAppConfig. class }; return configFiles; } @Override protected String[] getServletMappings() { String[] mappings = { "/" }; return mappings; } } |
Create another class in the same location (src > main > java) and name it MyAppConfig. Below is the code for the MyAppConfig.java file.
File: MyAppConfig.java
Java
package com.gfg.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.view.InternalResourceViewResolver; @Configuration @EnableWebMvc @ComponentScan ( "com" ) public class MyAppConfig { } |
Reference article: Spring – Configure Dispatcher Servlet in Three Different Ways
Step 5: Create Your Spring MVC Controller
Go to the src > main > java and create a class GfgController. Below is the code for the GfgController.java file.
File: GfgController.java
Java
package com.gfg.controller; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.ResponseBody; @Controller public class GfgController { // Secure this one @GetMapping ( "/gfg" ) public String helloGfg() { return "hello-gfg" ; } // Don't secure this @GetMapping ( "/gfg/welcome" ) @ResponseBody public String welcomeGfg() { return "Welcome to w3wiki" ; } } |
Go to the src > main > java and create a class LoginController. Below is the code for the LoginController.java file.
File: LoginController.java
Java
package com.gfg.controller; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; @Controller public class LoginController { @GetMapping ( "/customLogin" ) public String customLogin() { return "custom-login" ; } } |
Reference article: Create and Run Your First Spring MVC Controller in Eclipse/Spring Tool Suite
Step 6: Create Your Spring MVC Views
Go to the src > main > webapp > WEB-INF > right-click > New > Folder and name the folder as views. Then views > right-click > New > JSP File and name your first view. Here we have named it as hello-gfg.jsp file. Below is the code for the hello-gfg.jsp file. We have created a simple web page inside that file.
File: hello-gfg.jsp
HTML
<!DOCTYPE html> < html > < body bgcolor = "green" > < h1 >Hello w3wiki!</ h1 > </ body > </ html > |
Also, create another view named custom-login.jsp file. Below is the code for the custom-login.jsp file. We have created a simple login form inside that file.
File: custom-login.jsp
HTML
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %> <!DOCTYPE html> < html > < title >GFG Login Page</ title > < body bgcolor = "green" > < h1 >Custom Login Page</ h1 > < form:form > Username : < input type = "text" name = "username" > < br /> Password : < input type = "password" name = "password" > < br /> < input type = "submit" value = "Login" > </ form:form > </ body > </ html > |
Reference article:
Step 7: Setting Up ViewResolver in Spring MVC
Go to the src > main > java > MyAppConfig and set your ViewResolver like this
File: MyAppConfig.java
Java
package com.gfg.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.view.InternalResourceViewResolver; @Configuration @EnableWebMvc @ComponentScan ( "com" ) public class MyAppConfig { @Bean InternalResourceViewResolver viewResolver() { InternalResourceViewResolver viewResolver = new InternalResourceViewResolver(); viewResolver.setPrefix( "/WEB-INF/views/" ); viewResolver.setSuffix( ".jsp" ); return viewResolver; } } |
Reference article: ViewResolver in Spring MVC
Step 8: Setting Up Spring Security Filter Chain
Go to the src > main > java and create a class MySecurityAppConfig and annotate the class with @EnableWebSecurity annotation. This class will help to create the spring security filter chain. Below is the code for the MySecurityAppConfig.java file.
File: MySecurityAppConfig.java
Java
package com.gfg.config; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; // This class will help to create // spring security filter chain @EnableWebSecurity public class MySecurityAppConfig extends WebSecurityConfigurerAdapter { } |
Step 9: Create Spring Security Initilizer
Go to the src > main > java and create a class SecurityInitializer. This class will help to register the spring security filter chain with our application. Below is the code for the SecurityInitializer.java file.
File: SecurityInitializer.java
Java
package com.gfg.config; import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer; // This class will help to register spring security // filter chain with our application public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer { } |
Now we are done with setting up our Spring Security Filter Chain.
Step 10: Create Users and Password Encoder
Modify the MyAppConfig file. Here we are going to create the PasswordEncoder Bean.
File: MyAppConfig.java
Java
package com.gfg.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.web.servlet.config.annotation.EnableWebMvc; import org.springframework.web.servlet.view.InternalResourceViewResolver; @Configuration @EnableWebMvc @ComponentScan ( "com" ) public class MyAppConfig { @Bean InternalResourceViewResolver viewResolver() { InternalResourceViewResolver viewResolver = new InternalResourceViewResolver(); viewResolver.setPrefix( "/WEB-INF/views/" ); viewResolver.setSuffix( ".jsp" ); return viewResolver; } // Create the bean for PasswordEncoder @Bean PasswordEncoder getPasswordEncoder() { return new BCryptPasswordEncoder(); } } |
Modify the MySecurityAppConfig file. Here we are going to create the User, and we are going to provide the password in Bcrypt format. And we are also going to provide the roles to the user.
Note: We are going to use Spring Security In-Memory Authentication. Please refer to this article for more detail.
File: MySecurityAppConfig.java
Java
package com.gfg.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.password.PasswordEncoder; // This class will help to create @SuppressWarnings ( "deprecation" ) // spring security filter chain @EnableWebSecurity public class MySecurityAppConfig extends WebSecurityConfigurerAdapter { @Autowired private PasswordEncoder passwordEncoder; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser( "gfg" ) .password(passwordEncoder.encode( "gfg123" )) .roles( "admin" ); } } |
Step 11: Configuring Basic Authentication and Integrating Custom Login into the Application
Modify the MySecurityAppConfig file. Here we are going to integrate Custom Login into the Application.
File: MySecurityAppConfig.java
Java
package com.gfg.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.password.PasswordEncoder; // This class will help to create @SuppressWarnings ( "deprecation" ) // spring security filter chain @EnableWebSecurity public class MySecurityAppConfig extends WebSecurityConfigurerAdapter { @Autowired private PasswordEncoder passwordEncoder; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() .withUser( "gfg" ) .password(passwordEncoder.encode( "gfg123" )) .roles( "admin" ); } // Configuring basic authentication through configure method @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeHttpRequests() .antMatchers( "/gfg" ).authenticated() .antMatchers( "/gfg/welcome" ).permitAll() .and() .formLogin().loginPage( "/customLogin" ) .and() .httpBasic(); } } |
Now, let’s run the application and test it out.
Step 12: Run Your Spring MVC Application
To run our Spring MVC Application right-click on your project > Run As > Run on Server. After that use the following URL to run your controller.
http://localhost:8080/springsecurity/gfg
And it will ask for authentication to use the endpoint and a pop-up screen will be shown like this. But this time it’s our custom login page.
Now sign in with the following credentials
- Username: gfg
- Password: gfg123
And now you can access your endpoint. You will get the output like this.
Contact Us