Spring Security

Spring Security Login Form Using Database

In this tutorial we will discuss same previous example of custom login form for authentication but difference is that only we using database for username and password instead of reading from XML file.

Required Tools used for this Application:

  • Spring MVC 3.0.1
  • Spring Security 3.1.0
  • STS 2.8.1.RELEASE
  • Tomcat 7
  • Jdk 1.7
  • MySQL Database

To understand this application you have some prior knowledge about the Spring MVC web application.

Spring Security Login Form Using Database

Step 1: Please download the following more jars for Spring Security Lib from its official site.
To get started with the implementation, following jars need to be present in the class path of the project.

  • spring-security-acl-3.1.3.RELEASE.jar
  • spring-security-aspects-3.1.3.RELEASE.jar
  • spring-security-cas-3.1.3.RELEASE.jar
  • spring-security-config-3.1.3.RELEASE.jar
  • spring-security-core-3.1.3.RELEASE.jar
  • spring-security-crypto-3.1.3.RELEASE.jar
  • spring-security-ldap-3.1.3.RELEASE.jar
  • spring-security-openid-3.1.3.RELEASE.jar
  • spring-security-remoting-3.1.3.RELEASE.jar
  • spring-security-taglibs-3.1.3.RELEASE.jar
  • spring-security-web-3.1.3.RELEASE.jar

 

Step 2: Create the project “SpringSecurityLoginDatabase” with packages“com.dineshonjava.security.controller” and create the “LoginController.java” file in this package.

Step 3: Some more folders also create on the “WEB-INF” folder with name libs, views for jars and jsp files respectively. Two files “sdnext-servlet.xml” and “sdnext-security.xml” are created on the “WEB-INF” folder.

Namespace Configuration:

The namespace configuration of the spring provides lot of shortcuts that hides much of the complexity of the framework. To start with this configuration, define a security filter in web.xml as shown below:
Step 4: Configuring web.xml for Spring Security

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

 <servlet>
  <servlet-name>sdnext</servlet-name>
  <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
 </servlet>

 <servlet-mapping>
  <servlet-name>sdnext</servlet-name>
  <url-pattern>/</url-pattern>
 </servlet-mapping>
 <listener>
  <listener-class>
                  org.springframework.web.context.ContextLoaderListener
        </listener-class>
 </listener>
 
 <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
   /WEB-INF/sdnext-*.xml,
  </param-value>
 </context-param>
 
 <welcome-file-list>
  <welcome-file>index</welcome-file>
 </welcome-file-list>
 
 <!-- Spring Security -->
 <filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>
                  org.springframework.web.filter.DelegatingFilterProxy
                </filter-class>
 </filter>
 
 <filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>
 
</web-app>

In the above configuration, DelegatingFilterProxy delegates the control to a filter implementation which is defined as a bean named springSecurityFilterChain. This bean is an infrastructure internal bean to handle namespace configurations. Once this configuration is done, all the incoming requests enter the spring framework for security checks.

Security Configuration:

The security configuration is done in XML file and can have any name such as sdnext-security.xml. This file needs to be loaded explicitly from web.xml. This is done by adding ContextLoadListener. The following lines needs to be added before security filter definition in web.xml.

Step 5: Spring Securing Configuration file (sdnext-security.xml)
 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:>
This configuration is done to enable form-login authentication model where the login page is login.jsp. Note that in the intercept tag, pattern for /index* is given and access rule is defined as ROLE_USER. That means /index* is redirect to /login to checked for security, which makes sense as login.jsp is the starting point from where the user is authenticated.

The tag <security:authentication-manager> processes the authentication information; <security:authentication-provider> defines the credential information and the roles given to each user (authentication information).

 Step 6: Spring Configuration File (sdnext-servlet.xml)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:context="http://www.springframework.org/schema/context"
 xmlns:tx="http://www.springframework.org/schema/tx"
 xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
 
 <context:property-placeholder location="classpath:resources/database.properties" />
 <context:component-scan base-package="com.dineshonjava.security" />

 <tx:annotation-driven transaction-manager="hibernateTransactionManager"/>
 
 <bean id="jspViewResolver"
  class="org.springframework.web.servlet.view.InternalResourceViewResolver">
  <property name="viewClass"
   value="org.springframework.web.servlet.view.JstlView" />
  <property name="prefix" value="/WEB-INF/views/" />
  <property name="suffix" value=".jsp" />
 </bean>
 
 <bean id="dataSource"
  class="org.springframework.jdbc.datasource.DriverManagerDataSource">
  <property name="driverClassName" value="${database.driver}" />
  <property name="url" value="${database.url}" />
  <property name="username" value="${database.user}" />
  <property name="password" value="${database.password}" />
 </bean>

 <bean id="sessionFactory"
  class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
  <property name="dataSource" ref="dataSource" />
  <property name="hibernateProperties">
   <props>
    <prop key="hibernate.dialect">${hibernate.dialect}</prop>
    <prop key="hibernate.show_sql">${hibernate.show_sql}</prop>
    <prop key="hibernate.hbm2ddl.auto">${hibernate.hbm2ddl.auto}</prop>    
   </props>
  </property>
 </bean>
  
</beans>

Step 7: Creating LoginController class (LoginController.java)

package com.dineshonjava.security.controller;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

/**
 * @author Dinesh Rajput
 *
 */
@Controller
public class LoginController {
 
 @RequestMapping(value="/index", method = RequestMethod.GET)
 public String executeSecurity(ModelMap model, Principal principal ) {
 
  String name = principal.getName();
  model.addAttribute("author", name);
  model.addAttribute("message", "Welcome To Login Form Based Spring Security Example!!!");
  return "welcome";
 
 }
 
 @RequestMapping(value="/login", method = RequestMethod.GET)
 public String login(ModelMap model) {
 
  return "login";
 
 }
 
 @RequestMapping(value="/fail2login", method = RequestMethod.GET)
 public String loginerror(ModelMap model) {
 
  model.addAttribute("error", "true");
  return "login";
 
 }
 
 @RequestMapping(value="/logout", method = RequestMethod.GET)
 public String logout(ModelMap model) {
 
  return "login";
 
 }
}

Creating database.properties

database.driver=com.mysql.jdbc.Driver
database.url=jdbc:mysql://localhost:3306/DAVDB
database.user=root
database.password=root
hibernate.dialect=org.hibernate.dialect.MySQLDialect
hibernate.show_sql=true
hibernate.hbm2ddl.auto=update

JSP Views-

In custom login form, you have to follow Spring Security standard name :
1. j_spring_security_check – Login service
2. j_spring_security_logout – Logout service
3. j_username – Username
4. j_password – Password
Step 8: Creating welcome page (welcome.jsp)

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>WELCOME TO SECURE AREA</title>
</head>
<body>
 <h1>Message : ${message}</h1> 
 <h1>Author : ${author}</h1> 
 <a href='<c:url value="/j_spring_security_logout" />' > Logout</a>
</body>
</html>

login.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page For Security</title>
<style>
.errorblock {
 color: #ff0000;
 background-color: #ffEEEE;
 border: 3px solid #ff0000;
 padding: 8px;
 margin: 16px;
}
</style>
</head>
<body onload='document.f.j_username.focus();'>
 <h3>Login with Username and Password (Custom Login Page)</h3>
 
 <c:if test="${not empty error}">
  <div class="errorblock">
   Your login attempt was not successful, try again.<br /> Caused :
   ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
  </div>
 </c:if>
 
 <form name='f' action="<c:url value='j_spring_security_check' />"
  method='POST'>
 
  <table>
   <tr>
    <td>User:</td>
    <td><input type='text' name='j_username' value=''>
    </td>
   </tr>
   <tr>
    <td>Password:</td>
    <td><input type='password' name='j_password' />
    </td>
   </tr>
   <tr>
    <td colspan='2'><input name="submit" type="submit"
     value="submit" />
    </td>
   </tr>
   <tr>
    <td colspan='2'><input name="reset" type="reset" />
    </td>
   </tr>
  </table>
 
 </form>
</body>
</html>

Step 9: Create an database "DAVDB" and two tables "USERS" and other "USER_ROLES" for Spring Security for our application as follows.
USERS Table

CREATE TABLE `users` (
  `USER_ID` int(10) unsigned NOT NULL,
  `USERNAME` varchar(40) NOT NULL,
  `PASSWORD` varchar(40) NOT NULL,
  `ACTIVE` tinyint(1) NOT NULL,
  PRIMARY KEY  (`USER_ID`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1

USER_ROLES table

Create Table

CREATE TABLE `user_roles` (
  `USER_ROLE_ID` int(10) unsigned NOT NULL,
  `USER_ID` int(10) unsigned NOT NULL,
  `AUTHORITY` varchar(45) NOT NULL,
  PRIMARY KEY  (`USER_ROLE_ID`),
  KEY `FK_user_roles` (`USER_ID`),
  CONSTRAINT `FK_user_roles` FOREIGN KEY (`USER_ID`) REFERENCES `users` (`USER_ID`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1

 

INSERT INTO `DAVDB`.`user_roles` 
 (`USER_ROLE_ID`, 
 `USER_ID`, 
 `AUTHORITY`
 )
 VALUES
 ('1', 
 '1', 
 'ROLE_USER'
 );

INSERT INTO `DAVDB`.`users` 
 (`USER_ID`, 
 `USERNAME`, 
 `PASSWORD`, 
 `ACTIVE`
 )
 VALUES
 ('1', 
 'dineshonjava', 
 'sweety', 
 '1'
 );

Step 10: Running the example

Export the example as war and deploy it Tomcat 7 server. While browsing the project you will get the following screen for login:

Access URL http://localhost:8080/sdnext/index“, Spring will redirect to your custom login form.
URL : http://localhost:8080/sdnext/login

If username/password is wrong, authentication failed, display custom error messages.

URL : http://localhost:8080/sdnext/fail2login

If username/password is correct, authentication success, display requested page.

URL : http://localhost:8080/sdnext/index

If username/password is correct, authentication success, display requested page.
on requested page click on Logout link.

URL : http://localhost:8080/sdnext/logout

 

Download Source Code + Libs
SpringSecurityLoginDatabase.zip

 

References-
https://www.dineshonjava.com/spring-security-form-based-login-example/
Spring Security
Spring Security documentation

 

                             <<previous<<             || index  ||         >>next>>

 

Previous
Next
Dinesh Rajput

Dinesh Rajput is the chief editor of a website Dineshonjava, a technical blog dedicated to the Spring and Java technologies. It has a series of articles related to Java technologies. Dinesh has been a Spring enthusiast since 2008 and is a Pivotal Certified Spring Professional, an author of a book Spring 5 Design Pattern, and a blogger. He has more than 10 years of experience with different aspects of Spring and Java design and development. His core expertise lies in the latest version of Spring Framework, Spring Boot, Spring Security, creating REST APIs, Microservice Architecture, Reactive Pattern, Spring AOP, Design Patterns, Struts, Hibernate, Web Services, Spring Batch, Cassandra, MongoDB, and Web Application Design and Architecture. He is currently working as a technology manager at a leading product and web development company. He worked as a developer and tech lead at the Bennett, Coleman & Co. Ltd and was the first developer in his previous company, Paytm. Dinesh is passionate about the latest Java technologies and loves to write technical blogs related to it. He is a very active member of the Java and Spring community on different forums. When it comes to the Spring Framework and Java, Dinesh tops the list!

Share
Published by
Dinesh Rajput

Recent Posts

Strategy Design Patterns using Lambda

Strategy Design Patterns We can easily create a strategy design pattern using lambda. To implement…

2 years ago

Decorator Pattern using Lambda

Decorator Pattern A decorator pattern allows a user to add new functionality to an existing…

2 years ago

Delegating pattern using lambda

Delegating pattern In software engineering, the delegation pattern is an object-oriented design pattern that allows…

2 years ago

Spring Vs Django- Know The Difference Between The Two

Technology has emerged a lot in the last decade, and now we have artificial intelligence;…

2 years ago

TOP 20 MongoDB INTERVIEW QUESTIONS 2022

Managing a database is becoming increasingly complex now due to the vast amount of data…

2 years ago

Scheduler @Scheduled Annotation Spring Boot

Overview In this article, we will explore Spring Scheduler how we could use it by…

3 years ago