I'll add a clarifying answer for anyone reading this in the future:
When you define the tag in spring security it will handle the login for you, I'll go over how it works in detail (wish it were this detailed in the docs):
<security:http auto-config="true">
<security:form-login login-page="/login"
login-processing-url="/postlogin"
default-target-url="/myaccount"
authentication-failure-url="/login?loginError=true" />
<security:logout logout-url="/logout" />
</security:http>
The login-page is the url of the login page. You should have a controller (or static HTML page) that serves this page, it's your pretty login form.
The login-processing-url is a URL which the form-login component handles. It's as if the form-login component implemented its own controller for this page. You should post your form to this page. You also need to know to name your username/password parameters "j_username" and "j_login"
Beyond this, and the rest of the reasonably obvious options above, you should have implemented a UserDetailsService
- that is, create a class and implement the interface UserDetailsService
which gets, and returns, a UserDetails
object (username/password) for a given username - and provide that UserDetails
object with the rest of the security configuration:
<security:authentication-manager>
<security:authentication-provider ref="daoAuthenticationProvider" />
</security:authentication-manager>
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
<property name="userDetailsService" ref="myAuthorizationService" />
</bean>
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…