February 03, 2020

Spring Security-Part 4.3: Form Based Authentication


Form Based Authentication
  • When we do basic authentication, we need to pass 'Authorization' in header (e.g, Authentication:Basic BASE_64_UserName:Password). Though the basic auth is simple and fast, it has one disadvantage that we can't logout.
  • We can user form based authentication, in which user will enter user name and password and can logout whenever required.


To switch from Basic to Form based authentication, we need to update ApplicationSecurityConfig. In the configure() method instead of httpBasic(), we need to use formLogin().


Now if you restart the application and try to access students API (http://localhost:8080/api/v1/students/1), you will see below login form.


After successful login, we can access other API's (if authorized) and we don't need to pass user credentials for each request. This is possible because of Session ID. Default expiration of this session id is 30 minutes.

To store the session id, by default spring uses in-memory database, if required we can use Postgres or Redis.

GIT: https://github.com/greekykhs/spring-security/commit/d2b8475e4ac6dc827262dc19b80e0c30024789c4

How To Create A Custom Login Form For Form Based Authentication

We need to first add spring-boot-starter-thymeleaf dependency in our pom.xml.

Inside templates folder (which is inside resources folder) create login.html. I had copied the content from Spring's login form into my own custom login.html (simply open http://localhost:8080/login in browser, right click, view source and copy).

Create a TemplateController class inside com.example.springsecuritydemo.controller package. We need to declare an API with GETMapping as "login" and it return "login" (returned String should be same as the name of HTML file which we had created).


Inside the configure() method of ApplicationSecurityConfig, we need to add our custom login form by adding '.loginPage("/login").permitAll()' after 'formLogin()'. permitAll will allow user to access the login without authentication.

Restart the application and try to access students API (http://localhost:8080/api/v1/students/1), you will see custom login form.


GIT : https://github.com/greekykhs/spring-security/commit/1365e5f7be667cf0ac4b5ec31cea329afb0c2805

Redirect to a custom page after successful login from custom login page 

Let's say user opens the login page http://localhost:8080/login and enter correct credentials, after successful login it will be directed to index page. Instead of this, we are now going to show custom view.

Inside templates folder (which is inside resources folder) create courses.html.

In TemplateController we will add another method getCourses() GETMapping as "courses" and it return "courses" (returned String should be same as the name of HTML file which we had created).

Inside the configure() method of ApplicationSecurityConfig, we need to add our custom page form by adding '.defaultSuccessUrl("/courses", true)'.


Restart the application and try to access students API (http://localhost:8080/api/v1/students/1), you will see custom login form, after successful login courses.html will be shown.

GIT: https://github.com/greekykhs/spring-security/commit/a84c47b3a11ee4822716cff5bea2c38810e2dadc

-K Himaanshu Shuklaa..

No comments:

Post a Comment