java - How to process a form login using Spring Security / Spring MVC

Question

Simple question, I just need a pointer in the right direction:

I have a simple Spring MVC/Spring Security webapp. Initially I set up Spring Security so that the default login page shows and authenticates properly (I implemented the UserDetailsService with the DaoAuthenticationProvider to do this).

Next step: replace the default spring login page with my login page and post the credentials.

But what do I do with the submitted login credentials? I assume I post the form to a controller, verify the credentials, but I'm not clear what the right step is after that. E.g.:

• Am I calling a method of AuthenticationManager?
• Do I need to define a bean for this?
• Is there an interface/service I need to implement like an AuthenticationEntryPoint or something?

I've hit the docs 3 times over and don't quite follow them. I know this is dirt simple, so I just need to hear how the process should flow.

Answer 1

I'll add a clarifying answer for anyone reading this in the future:

When you define the tag in spring security it will handle the login for you, I'll go over how it works in detail (wish it were this detailed in the docs):

<security:http auto-config="true">
    <security:form-login login-page="/login"
         login-processing-url="/postlogin"
         default-target-url="/myaccount"
         authentication-failure-url="/login?loginError=true" />
    <security:logout logout-url="/logout" />
</security:http>

The login-page is the url of the login page. You should have a controller (or static HTML page) that serves this page, it's your pretty login form.

The login-processing-url is a URL which the form-login component handles. It's as if the form-login component implemented its own controller for this page. You should post your form to this page. You also need to know to name your username/password parameters "j_username" and "j_login"

Beyond this, and the rest of the reasonably obvious options above, you should have implemented a UserDetailsService - that is, create a class and implement the interface UserDetailsService which gets, and returns, a UserDetails object (username/password) for a given username - and provide that UserDetails object with the rest of the security configuration:

<security:authentication-manager>
        <security:authentication-provider ref="daoAuthenticationProvider" />
</security:authentication-manager>

<bean id="daoAuthenticationProvider"
    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
    <property name="userDetailsService" ref="myAuthorizationService" />
</bean>