Sunday, 6 January 2013

Spring Security Form Login Example

Thanks to mkyong. This tutorial is based on his tutorial
Spring Security allows developer to integrate security features with J2EE web application easily, it highjacks incoming HTTP request via servlet filters, and implements “user defined” security checking.
By default, if no login form is provided, Spring Security will create a simple login form automatically, see demonstration in this Spring Security hello world example.
In this tutorial, we show you how to create a custom login form and ask Spring Security to use it for login authentication.

Technologies used :

    • Spring 3.0.5.RELEASE
    • Spring Security 3.0.5.RELEASE
    • Eclipse Indigo
    • JDK 1.6
    • Maven 3

      Step : 1

      If you are new java and Maven, then first setup environment in your local document. This document will help you to set up Java, Maven and Tomcat.

      Step : 2

      In the Eclipse IDE, Select File –> New –> Other –> Maven Project as shown here.


      In the next screen, Verify that the Create a simple project checkbox is disabled and click Next.


      In the next screen, Enter maven-archetype-webapp as a filter, select maven-archetype-webapp in the artifact list and click Nextclip_image0026_thumb

      In the next screen, enter the values as shown and Click Finish


      After finish, the following project will be created with the folders as shown.


      Step : 3

      Let us create our java folder where we will create all required java classes here. Goto the Project springformlogin ->Src->Main and Right click and say new folder.
      Enter the new folder name as "Java".
      Now let include this folder into Project build path.Follow the steps
      1. Select springformlogin in the Navigator.
      2. Right Click and Select Properties
      3. Select Java Build Path in the Left hand Tree.
      4. Go to Source Tab
      5. Select "Add Folder" in the right hand side.
      6. Select Java Folder and click ok.
      7. Now select Edit and enter "**/*.java" in inclusion pattern in the top.


      Step : 4

      POM File changes. Let us do the following changes in the POM.XML File
      1. By default, Maven 3 will use the JDK 1.4 to compile the source of your project, which is rather old and obsolete. Fortunately, Maven comes with a Maven Compiler Plugin, which enable Maven to compile the project source with a particular JDK version.
      2. Spring Security Dependencies: To use Spring security 3.0, you need “spring-security-core.jar“, “spring-security-web.jar” and “spring-security-config.jar“. Spring libraries are available in Maven central repository. Let us add this into POM.XML File as follows (You can remove all the content and copy from here and paste it)
      3. And also, we will use jstl  dependency.
      <project xmlns="" xmlns:xsi=""
          <name>springformlogin Maven Webapp</name>
              <!-- Spring 3 -->
              <!-- Spring Security -->
          <!-- jstl -->

      Step : 5
      Spring controller to handle what URL should go where.  Select java folder and Select new Class. Give the package name as "com.example.common.controller" and class name as "LoginController". After clicking Finish, folders will be created and will look as follows

      And paste the following code in the java file
      package com.example.common.controller;
      import org.springframework.stereotype.Controller;
      import org.springframework.ui.ModelMap;
      import org.springframework.web.bind.annotation.RequestMapping;
      import org.springframework.web.bind.annotation.RequestMethod;
      public class LoginController {
          @RequestMapping(value="/welcome", method = RequestMethod.GET)
          public String printWelcome(ModelMap model, Principal principal ) {
              String name = principal.getName();
              model.addAttribute("username", name);
              model.addAttribute("message", "Spring Security Custom Form example");
              return "hello";
          @RequestMapping(value="/login", method = RequestMethod.GET)
          public String login(ModelMap model) {
              return "login";
          @RequestMapping(value="/loginfailed", method = RequestMethod.GET)
          public String loginerror(ModelMap model) {
              model.addAttribute("error", "true");
              return "login";
          @RequestMapping(value="/logout", method = RequestMethod.GET)
          public String logout(ModelMap model) {
              return "login";

      Step : 6
      Now let us create the JSP Page. Create a new folder called "Pages" under webapp\web-inf folder as shown here.


      Now right click on pages folder and Select new jsp file and give the name as "hello.jsp". Replace the default content and paste the following

      <%@ taglib prefix="c" uri=""%>
          <h3>Message : ${message}</h3>   
          <h3>Username : ${username}</h3>   
          <a href="<c:url value="/j_spring_security_logout" />" > Logout</a>


      File : login.jsp
      <%@ taglib prefix="c" uri=""%>
      <title>Login Page</title>
      .errorblock {
          color: #ff0000;
          background-color: #ffEEEE;
          border: 3px solid #ff0000;
          padding: 8px;
          margin: 16px;
      <body onload='document.f.j_username.focus();'>
          <h3>Login with Username and Password (Custom Page)</h3>
          <c:if test="${not empty error}">
              <div class="errorblock">
                  Your login attempt was not successful, try again.<br /> Caused :
          <form name='f' action="<c:url value='j_spring_security_check' />"
                      <td><input type='text' name='j_username' value=''>
                      <td><input type='password' name='j_password' />
                      <td colspan='2'><input name="submit" type="submit"
                          value="submit" />
                      <td colspan='2'><input name="reset" type="reset" />


      Step : 7

      Right click on web-INF Folder and Select new file and Enter the file name as "mvc-dispatcher-servlet.xml"

      Paste the following content

      <beans xmlns=""
          <context:component-scan base-package="com.example.common.controller" />
              <property name="prefix">
              <property name="suffix">
          <bean id="messageSource"
              <property name="basenames">

      Step : 8
      Now let us add the spring security. Right click on web-INF Folder and Select new file and Enter the file name as "spring-security.xml"
      1. login-page=”/login” – The login form will be “/login”
      2. default-target-url=”/welcome” – If authentication success, forward to “/welcome”
      3. authentication-failure-url=”/loginfailed” – If authentication failed, forward to “/loginfailed”
      4. logout-success-url=”/logout” – If logout , forward to “/logout”

      Paste the following content

      <beans:beans xmlns=""
          xmlns:beans="" xmlns:xsi=""

          <http auto-config="true">
              <intercept-url pattern="/welcome*" access="ROLE_USER" />
              <form-login login-page="/login" default-target-url="/welcome"
                  authentication-failure-url="/loginfailed" />
              <logout logout-success-url="/logout" />
                      <user name="mkyong" password="123456" authorities="ROLE_USER" />

      Step : 9

      To integrate Spring security with web application, just declare “DelegatingFilterProxy” as servlet filter to intercept incoming request.Open WEB.xml and replace with the following one.

      <web-app id="WebApp_ID" version="2.4"
          xmlns="" xmlns:xsi=""
          <display-name>Spring MVC Application</display-name>
          <!-- Spring MVC -->
          <!-- Spring Security -->

      Step : 10

      Default Spring’s error message is not user friendly enough. In Spring Security, when authentication is failed, following predefined error messages will be displayed
      Spring display : Bad credentials

      We can override above error message and display your custom error message. Spring Security stored messages in “” inside “spring-security-core.jar“. To override it, find which key generate what error message in spring security file, and redefine it with your own properties file.

      Create a new properties file, put it on project classpath, and override the Spring’s “key” with your custom error message. In this case, just override “AbstractUserDetailsAuthenticationProvider.badCredentials“.

      File :
      AbstractUserDetailsAuthenticationProvider.badCredentials=Invalid username or password


      Step : 11
      Now let us start the server .

      Access URL “http://localhost:8080/springformlogin/welcome“, Spring will redirect to your custom login form.


      If username/password is wrong, authentication failed, display custom error messages.


      If username/password is correct, authentication success, display requested page.



      1. The extra screenshots and clear steps make it very ready to understand, thank you.

      2. Thanks, my friend

      3. can u plz tel me .... how to use concurrency control with out using mvc... is it posible

      4. Thanks for the example provided and very good explanation , can you plz help me to find how to intergrate it with database, it can be either hibernate or plain jdbc

      5. This blog aims to promote sharing and understanding of technical information and knowledge associated with Cyber Security for the benefit of secure your computer, accounts, and the data stored on them..This blog provides you all types of security tutorial.Lets Learn about Security

      6. Maybe you can provide us with source codes?