Form Login with Spring Boot

This article concentrates on the default form login implementation from Spring Boot and Spring Security. Let’s dive in to understand spring security with form based username and password login.

To start with, I have written a simple web application with an API that prints hello world.

@RestController
public class HelloController {

    @RequestMapping("/hello")
    @ResponseBody
    public String hello() {
        return "Hello World!";
    }
}

There is nothing special about this Controller. When we open http://localhost:8080/hello from the browser, we get to see a ”Hello World!” message.

Adding Spring Security Starter

Let’s add the spring security module to this project by adding the following starter dependency.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Once you have added the above dependency, Restart the application and try accessing http://localhost:8080/hello again in the browser. This time you will see a form login shown by the spring boot application

Default form implementation from Spring Boot security starter

This behaviour is due to the magic of auto-configuration. Let’s dive into details.

Security auto-configuration

This starter for security does the following auto-configurations.

  1. Creates a servlet Filter called springSecurityFilterChain which is responsible for most of the security stuff like login form redirection, username password validation, session creation and destruction etc. This springSecurityFilterChain will be registered to intercept all URLs of your application.
  2. Sets up BasicAuth and a form login for all the requests. This setup is equivalent to the following.protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .anyRequest().authenticated() .and().formLogin() .and().httpBasic(); }We will see these builder methods in upcoming posts.
  3. Creates a simple in-memory UserDetailService that can only allow a username called user with a generated password. You can find this password in the startup logs.This is the password that I provided in the above example.

By default, Spring Security enables a logout endpoint at http://localhost:8080/logout. On opening this URL, You will see a logout button. And By clicking this button You can log out of the session. Subsequently, the application will redirect you to a login screen.

spring boot security form login and logout

Login flow

Here is a simple illustration of the form login works.

Interaction between user and server in Form Login

To understand the flow, you need to learn a little about cookies.

  1. Cookies are key-value pair with occasional expiry time associated with it.
  2. Cookies are created when the server/website/web-application sends an HTTP response with a Set-Cookie header.
  3. By design, All browsers will send cookies associated with the website when accessing any resource from that specific server/website/web-application.
  4. Websites cannot get hold of cookies from other websites.

When a login request comes to the server, the spring security logic validates the credentials and if successful, creates a session id and associates it with the logged-in user and keeps this mapping somewhere. The same session-id also sent back to the browser in the form of Set-Cookie header with the name JSESSIONID.

Now whenever the request goes to the server, the cookie will also be sent along with the request. When the server notices JSESSIONID, it can look at the session map and find appropriate user associated with that session. If no mappings found, the request will be redirected to a log in page.

Logout flow

Here is the logout flow for simple Spring boot form implementation.

logout flow

In the next post, we will see how we can supply our custom login and logout pages.

Leave a Comment