spring security changing spring_security_login form

Question

i am using spring security and i am wondering how to change the default login form

i have found out that i need to point to my new form location. i want to keep the existing functions of the existing default form that has all the login exception display. so i must know how to reproduce it first.

in my research i come across with it

http://www.codercorp.com/blog/spring/security-spring/spring-security-login-logout-form.html

thanks him for the code

<%@ taglib prefix='c' uri='http://java.sun.com/jstl/core_rt' %>
<%@ page import="org.springframework.security.ui.AbstractProcessingFilter" %>
<%@ page import="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" %>
<%@ page import="org.springframework.security.AuthenticationException" %>

<html>
  <head>
    <title>Login</title>
  </head>

  <body>
    <h1>Login</h1>

    <c:if test="${not empty param.login_error}">
      <font color="red">
        Your login attempt was not successful, try again.<br/><br/>
        Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.
      </font>
    </c:if>

    <form name="f" action="<c:url value='j_spring_security_check'/>" method="POST">
      <table>
        <tr><td>User:</td><td><input type='text' name='j_username' value='<c:if test="${not empty param.login_error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/></td></tr>
        <tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>
        <tr><td><input type="checkbox" name="_spring_security_remember_me"></td><td>Don't ask for my password for two weeks</td></tr>

        <tr><td colspan='2'><input name="submit" type="submit"></td></tr>
        <tr><td colspan='2'><input name="reset" type="reset"></td></tr>
      </table>
    </form>
  </body>
</html>

but the code seems not working well for spring security 3. some libraries where outdated and i replaced them one by one. i change them to this below

<%@ page import="org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter" %>
<%@ page import="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" %>
<%@ page import="org.springframework.security.core.AuthenticationException" %>

but it is still refuse to report login errors. what else should i try ?

Answer 1

Did you remember to update your Spring Security application context xml configuration? Here is a sample of one I have:

<http auto-config="true">
  <intercept-url pattern="/login.htm" access="ROLE_ANONYMOUS,ROLE_USER" />
  <intercept-url pattern="/**" access="ROLE_USER" />
  <form-login login-page="/login.htm" default-target-url="/home.htm" />
  <logout logout-url="/logout.htm" logout-success-url="/home.htm"/>
</http>

So the form-login tag allows you to set a custom login page. You need to also remember to grant access to your login page to the anonymous role or else no one will be able to get to the login page.

Answer 2

When you use a custom login page, Spring Security doesn't automatically specify that your login page was displayed as a result of login error. You should do it manually, usually by adding a parameter to authentication-failure-url, your code expects a parameter named login_error:

<form-login 
    login-page="/login.htm" 
    authentication-failure-url = "/login.htm?login_error=1" />