HTTP Form Authentication involves using the
AuthenticationProcessingFilter to process a login
form. This is the most common way for an application to authenticate end
users. Form-based authentication is entirely compatible with the DAO
and JAAS authentication providers.
The login form simply contains j_username and
j_password input fields, and posts to a URL that is
monitored by the filter (by default
/j_spring_security_check). You should add an
AuthenticationProcessingFilter to your application context:
<bean id="authenticationProcessingFilter"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/login.jsp?login_error=1"/>
<property name="defaultTargetUrl" value="/"/>
<property name="filterProcessesUrl" value="/j_spring_security_check"/>
</bean>
The configured AuthenticationManager
processes each authentication request. If authentication fails, the
browser will be redirected to the
authenticationFailureUrl. The
AuthenticationException will be placed into the
HttpSession attribute indicated by
AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY,
enabling a reason to be provided to the user on the error page.
If authentication is successful, the resulting
Authentication object will be placed into the
SecurityContextHolder.
Once the SecurityContextHolder has been
updated, the browser will need to be redirected to the target URL which
is usually indicated by the HttpSession attribute stored under
AbstractProcessingFilter.SPRING_SECURITY_TARGET_URL_KEY.
This attribute is automatically set by the
ExceptionTranslationFilter when an
AuthenticationException occurs, so that after login
is completed the user can return to what they were originally trying to access.
If for some reason the HttpSession does not
indicate the target URL, the browser will be redirected to the
defaultTargetUrl property.