Custom login -- Flow

Subject: Custom login -- Flow
Author: WebSpider
In response to: Example #3: Expression-Based Access Control + LDAP authentication + Custom Login Page
Posted on: 12/06/2017 03:17:43 AM

Ultimate goal: GET /app/list_resource

   user -------------------- /app/list_resource -------------------------------------------------> protected resource

How to reach the goal: GET /app/list_resource

   user --------------- /app/list_resource 
                          |
                          v
                   filter: DelegatingFilterProxy
                          |
                          v
                  <http form-login@login-page: /my_login  (1)
                          |
                          v
                  Controller.login(String error, String logout)
                          |
                          v
                  View: login.jsp         action="/where_"
                       (user's input)  -------------------> match (2) in xml? --no-->  (custom process)
                                                                    |
                                                                   yes
                                                                    |
                                                                    v
                                                    processed by Spring: <authentication-manager>
                                                                    |
                                                                 succeed? --no--> /my_login?error (3)
                                                                    |
                                                                   yes
                                                                    |
                                                                    v
                                    always-use-default-target (5) ==true?  --no--> /app/list_resource -----> protected resource
                                                                    |
                                                                   yes
                                                                    |
                                                                    v
                                                                 /welcome (4)

>
> On 12/06/2017 03:11:24 AM WebSpider wrote:

Step 1: Custom login -- Controller

GET http://<host>:<port>/<context>/my_login --> this.login(String error, String logout)
@RequestMapping(value = "/my_login", method = RequestMethod.GET) public ModelAndView login( @RequestParam(value = "error", required = false) String error, @RequestParam(value = "logout", required = false) String logout) { ModelAndView model = new ModelAndView(); if (error != null) { model.addObject("error", "Invalid username and password!"); } if (logout != null) { model.addObject("msg", "You've been logged out successfully."); } model.setViewName("login"); return model; }

Step 2: Custom login -- View

model("login") --> login.jsp
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> <html> <body onload='document.loginForm.username.focus();'> <h1>Spring Security Custom Login Form (XML)</h1> <div> <h2>Login with Username and Password</h2> <c:if test="${not empty error}"> <div class="error">${error}</div> </c:if> <c:if test="${not empty msg}"> <div class="msg">${msg}</div> </c:if> <c:url var="loginProcessUrl" value="/where_to_process_login" /> <form name='loginForm' action="${loginProcessUrl}" method='POST'> <table> <tr> <td>User:</td> <td><input type='text' name='username' value=''></td> </tr> <tr> <td>Password:</td> <td><input type='password' name='password' /></td> </tr> <tr> <td colspan='2'><input name="submit" type="submit" value="submit" /></td> </tr> </table> <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" /> </form> </div> </body> </html>

Step 3: Custom login -- Configure

 <http pattern="/img/*" security="none" /> <http auto-config="true" use-expressions="true"> <intercept-url pattern="/img/*" access="permitAll" /> <intercept-url pattern="/app/**/*" access="isAuthenticated()" /> <intercept-url pattern="/**/*" access="permitAll" /> <form-login login-page='/my_login' <--1-- How to get here: GET /<context>/my_login username-parameter="username" <----- default "username" password-parameter="password" <----- default "password" login-processing-url="/where_to_process_login" <--2-- where to process? authentication-failure-url="/my_login?error" <--3-- where to go if error? default-target-url="/welcome" <--4-- where to go if success? always-use-default-target="false" <--5-- where to go if success? (true)? default-target-url|user-target-url /> <logout logout-url="/where_to_process_logout" <--1-- where to process? logout-success-url="/my_login?logout" <--2-- where to go if success? />  <csrf/> </http>  <authentication-manager> <authentication-provider ref="ldapActiveDirectoryAuthProvider"></authentication-provider> </authentication-manager> <beans:bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider"> <beans:constructor-arg value="abc.xyz.com"></beans:constructor-arg> <beans:constructor-arg value="ldaps://ad.abc.xyz.com:636"></beans:constructor-arg> </beans:bean>

References:

Next Post: Two ways to provide custom login/authentication WebSpider 07/10/2020 05:58:47 PM
Previous Post: Example #3: Expression-Based Access Control + LDAP authentication + Custom Login Page WebSpider 12/06/2017 03:11:24 AM
Next Topic: Three Ways To Install Product in Ubuntu Linux 12/29/2018 01:05:38 AM
Previous Topic: Spring MVC -- A Web Development Framework WebSpider 11/23/2017 02:27:08 AM
Index: by Date
Index: by Topic