Spring Boot Security Authentication - 302 Redirects - spring

I am trying to test my web api thats secured using the standard Spring Security API. I have implemented my own User authentication service by implementing UserDetailService. However whenever I login to my application the /login api keeps returning a 302 redirect. I verified that my login page is working correctly by manually testing both good credentials and bad credentials and it did properly authenticate correctly to the homepage depending on whether the credentials were good, however it still returned a 302 for /login. Im wondering why Spring/Thymeleaf is returning a 302 redirect when performing the /login request. This is preventing my ability to test any of my guarded endpoints when locked down with spring security.
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private UserDetailsService userDetailsService;
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
#Bean
public JwtTokenFilter jwtTokenFilter() {
return new JwtTokenFilter();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.cors()
.and()
.authorizeRequests().antMatchers("/profiles/**","/img/**","/resources","/v2/**","/users", "/login", "/error/**", "/keepalive", "/register").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
.defaultSuccessUrl("/")
.permitAll()
.and()
.logout();
http.addFilterBefore(jwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
#Bean
public CorsConfigurationSource corsConfigurationSource() {
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(asList("*"));
configuration.setAllowedMethods(asList("HEAD",
"GET", "POST", "PUT", "DELETE", "PATCH"));
// setAllowCredentials(true) is important, otherwise:
// The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
configuration.setAllowCredentials(true);
// setAllowedHeaders is important! Without it, OPTIONS preflight request
// will fail with 403 Invalid CORS request
configuration.setAllowedHeaders(asList("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
}
Login.html Page
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
>
<head>
<title>Login</title>
<div th:replace="fragments/header :: header-css"/>
</head>
<body class="white-bg">
<div th:replace="fragments/header :: header"/>
<div class="middle-box text-center loginscreen">
<div>
<div>
<h1 class="logo-name"></h1>
</div>
<h3>Welcome to </h3>
<p>Login in. To see it in action.</p>
<form th:action="#{/login}" method="post">
<fieldset>
<div th:if="${param.error}">
<div class="alert alert-danger">
Invalid username and password.
</div>
</div>
<div th:if="${param.logout}">
<div class="alert alert-info">
You have been logged out.
</div>
</div>
<div class="form-group">
<input type="text" name="username" id="username" class="form-control"
placeholder="UserName" required="true" autofocus="true"/>
</div>
<div class="form-group">
<input type="password" name="password" id="password" class="form-control"
placeholder="Password" required="true"/>
</div>
<input type="submit" class="btn btn-lg btn-primary btn-block" value="Sign In"/>
<small>Forgot password?</small>
<p class="text-muted text-center"><small>Do not have an account?</small></p>
<a class="btn btn-sm btn-white btn-block" href="register.html">Create an account</a>
</fieldset>
</form>
<p class="m-t"> <small>DigiProof Company © 2017</small> </p>
</div>
</div>
BaseController.java for routing
#Controller
public class BaseController {
#Autowired
private UserService userService;
#GetMapping("/")
public String homeMain() {
return "home";
}
#GetMapping("/home")
public String home() {
return "home";
}
#GetMapping("/login")
public String login(Principal principal) {
if (principal!=null && ((Authentication)principal).isAuthenticated())
return "redirect:/home";
else
return "login";
}
#RequestMapping(value="/registration", method = RequestMethod.GET)
public ModelAndView registration(){
ModelAndView modelAndView = new ModelAndView();
User user = new User();
modelAndView.addObject("user", user);
modelAndView.setViewName("register");
return modelAndView;
}
#RequestMapping(value = "/registration", method = RequestMethod.POST)
public ModelAndView createNewUser(#Valid User user, BindingResult bindingResult) {
ModelAndView modelAndView = new ModelAndView();
User userByEmailExists = userService.findUserByEmail(user.getEmail());
if (userByEmailExists != null) {
bindingResult
.rejectValue("email", "error.user",
"There is already a user registered with the email provided");
}
if (bindingResult.hasErrors()) {
modelAndView.setViewName("register");
} else {
userService.save(user);
modelAndView.addObject("successMessage", "User has been registered successfully");
modelAndView.addObject("user", new User());
modelAndView.setViewName("register");
}
return modelAndView;
}
#GetMapping("/profile")
public String profile() {
return "profile";
}
#GetMapping("/activity")
public String activity() {
return "activity";
}
#GetMapping("/teams")
public String teams() {
return "teams";
}
#GetMapping("/404")
public String error404() {
return "/error/403";
}
#GetMapping("/403")
public String error403() {
return "/error/403";
}
#GetMapping("/500")
public String error500() {
return "/error/500";
}
#GetMapping("/error")
public String error() {
return "/error/500";
}
}

spring security formLogin default intercept the "/login" request, i find that your login page url is "/login" which is conflict with this filter. you can define your login page url like this:
.formLogin()
.loginPage("/page/login.html").permitAll()
and change then controller mapping from login --> /page/login

try to disable csrf
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
}

Related

How to redirect from login form to html file in #Controller passing by authenticate method in #RestController?

Here is login form
<html lang="en">
<head>
<meta charset="utf-8">
<title>Login Customer</title>
</head>
<body>
<div class="container">
<form class="form-signin" method="POST" action="/api/v1/auth/login">
<h2 class="form-signin-heading">Login</h2>
<p>
<label for="username">Username</label>
<input type="text" id="username" name="username" class="form-control" placeholder="Username" required>
</p>
<p>
<label for="password">Password</label>
<input type="password" id="password" name="password" class="form-control" placeholder="Password" required>
</p>
<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>
</div>
</body>
</html>
When user submit login form it sends data to authenticate method in #RestController.
#RestController
#RequestMapping("/api/v1/auth")
public class AuthenticationRestControllerV1 {
private final AuthenticationManager authenticationManager;
private final UserRepository userRepository;
private final JwtTokenProvider jwtTokenProvider;
public AuthenticationRestControllerV1(AuthenticationManager authenticationManager, UserRepository userRepository, JwtTokenProvider jwtTokenProvider) {
this.authenticationManager = authenticationManager;
this.userRepository = userRepository;
this.jwtTokenProvider = jwtTokenProvider;
}
#RequestMapping(value = "/login", method = RequestMethod.POST)
public #ResponseBody ResponseEntity<?> authenticate(#RequestParam(name="username") String username, #RequestParam(name = "password") String password, HttpServletResponse response){
try {
authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
User user = userRepository.findByEmail(username).orElseThrow(() -> new UsernameNotFoundException("User doesn`t exist"));
String token = jwtTokenProvider.createToken(username, user.getRole().name());
Cookie cookie = new Cookie("Authorization", token);
cookie.setPath("/");
cookie.setHttpOnly(true);
response.addCookie(cookie);
return new ResponseEntity<>(new JwtResponse(username, token),HttpStatus.OK);
}catch (AuthenticationException exception){
return new ResponseEntity<>("Invalid email/password combination", HttpStatus.FORBIDDEN);
}
}
...
}
In SecurityConfig class method configure has successForwardUrl("/auth/success") which must redirect me to success page, but it doesn't. I also tried defaultSuccessUrl("/auth/success") and successHandler(successHandler). It just doesn`t work at all so it keeps me on authenticate method
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final JwtConfigurer jwtConfigurer;
private final JwtAuthenticationSuccessHandler successHandler;
public SecurityConfig(JwtConfigurer jwtConfigurer, JwtAuthenticationSuccessHandler successHandler) {
this.jwtConfigurer = jwtConfigurer;
this.successHandler = successHandler;
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/v1/auth/login").permitAll()
.antMatchers("/auth/login").permitAll()
.anyRequest().authenticated().and().apply(jwtConfigurer)
.and().formLogin().loginPage("/auth/login").permitAll().successForwardUrl("/auth/success");
}
#Bean
#Override
public AuthenticationManager authenticationManagerBean() throws Exception{
return super.authenticationManagerBean();
}
#Bean
protected PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder(12);
}
}
Here is #Controller which I use for getting my login page and success page
#Controller
#RequestMapping("/auth")
public class AuthController {
#GetMapping("/login")
public String getLoginPage(){
return "login";
}
#GetMapping("/success")
public String getSuccessPage(){
return "success";
}
}

Spring authentication login failure doesn't forward to controller

I use spring security to handle login and login error. I have set the failure Url for login. However, when I give it a bad credential, the request seems not to be handled by the controller. I try to set break point on the controller method that handle the failuer authentication but it doesn't jump to that method at all. I don't have a login?error html. I only have a login.html Does anyone know why?
Here is my configure file.
#Override
public void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests()
.antMatchers("/profile").hasRole("USER")
.antMatchers("/resources/**","/", "/home", "/signUp").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/homeSignedIn")
.failureUrl("/login?error")
.permitAll()
.and()
.rememberMe().tokenValiditySeconds(3600).key("mykey")
.and()
.logout()
.logoutUrl("/signOut")
.logoutSuccessUrl("/")
.permitAll();
}
Here is My Controller.
#GetMapping("/login")
public String loginPage(Model model){
Login login = new Login();
model.addAttribute("login", login);
return "login";
}
#GetMapping("/homeSignedIn")
public String loggedInPage(){
return "homeSignedIn";
}
#GetMapping("/signOut")
public String signOutPage(){
return "signOut";
}
#RequestMapping("/login?error")
public String loginError(Model model){
model.addAttribute("loginError", true);
return "login";
}
}
Here is my login.html.
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org"
xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<head>
<title>Login Page</title>
</head>
<body>
<p th:if="${loginError}" > Wrong Username or password </p>
<form th:action="#{/login}" th:object="${login}" class="form-horizontal" method="post">
<p align="middle">username: <input type="text" th:field="*{username}"></p>
<p align="middle">password: <input type="password" th:field="*{password}"></p>
<p align="middle"><input type="submit" value="Login"></p>
</form>
</body>
</html>
Remove this
#RequestMapping("/login?error")
public String loginError(Model model){
model.addAttribute("loginError", true);
return "login";
}
Modify this
#GetMapping("/login")
public String loginPage(Model model, #RequestParam(value = "error", required = false) Boolean error){
if (error == null) {
Login login = new Login();
model.addAttribute("login", login);
} else {
model.addAttribute("loginError", true);
}
return "login";
}
And change configuration to following
.failureUrl("/login?error=true")

Spring Security login doesn't work on amazon server

my question is:
I configure with spring security a login page and it works great in localhost but when i deploy the .war in the amazon elastic web service (tomcat) no longer works.
When I insert the correct username and password spring always return me error and doesn't do the login, as if the data were wrong.
Doing research online I saw that it's probably a problem with https certificates.
Below the code:
Controller:
#RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView login(HttpSession session, #RequestParam(value = "error", required = false) boolean error) {
ModelAndView model = new ModelAndView();
if (error) {
model.addObject("error", "Wrong Data!");
model.setViewName("Login");
return model;
}
model.setViewName("Login");
return model;
}
login.jsp
<form:form action="login" method="post">
<div align="center"><label>${error}</label></div>
<div align="center"><label>User Name: </label><input type="text" name="username" /></div>
<div align="center"><label>Password: </label><input type="password" name="password" /></div>
<div align="center"><input type="submit" class="button" value="Login" /></div>
</form:form>
Security config
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery("SELECT username,password,1 FROM user_model where username=?")
.authoritiesByUsernameQuery("SELECT username,ruolo FROM user_model JOIN ruolo_model ON user_model.ruolo_id=ruolo_model.id where username=?");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/successLogin")
.failureUrl("/login?error=true")
.and()
.csrf().disable();
http.portMapper().http(80).mapsTo(443);
}
I add "http.portMapper().http(80).mapsTo(443)" for test but not work.
After login he always sends me to "/login?error=true".
Thanks to all!
Alessandro

Spring boot Security Redirecting from error page to login page In case of authentication failure [duplicate]

This question already has answers here:
Authentication failure redirect with request params not working
(3 answers)
Closed 5 years ago.
I have configured spring security for my web application, Implemented custom authentication handler to authenticate the user details.
Its working as expected when authentication is success ,when authentication fails its invoking custom authentication failure handler redirecting error page(in my case login page with error message) after that again it's redirecting to login page(without message)
Below is my configuration (Let me know what's wrong here)
#Configuration
#EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
#Autowired
private CustomAuthenticationProvider authProvider;
#Autowired
private AuthSuccessHandler authHandler;
#Autowired
private AuthFailureHandler authFailureHandler;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/resources/**","/rest/**")
.permitAll().anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler(authHandler)
.failureHandler(authFailureHandler)
.usernameParameter("username").passwordParameter("password")
.permitAll()
.and().csrf().disable();
}
#Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authProvider);
}
}
Success Handler
#Component
public class AuthSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
#Override
protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
redirectStrategy.sendRedirect(request, response, "/home");
}
}
Failure Handler
#Component
public class AuthFailureHandler extends SimpleUrlAuthenticationFailureHandler{
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
#Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
throws IOException, ServletException {
System.out.println("AuthFailureHandler.onAuthenticationFailure()");
redirectStrategy.sendRedirect(request, response, "/login?msg=Bad Credentials");
}
}
Custom Authentication Provider
#Component
public class CustomAuthenticationProvider implements AuthenticationProvider
{
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication;
String username = (String)token.getPrincipal();
String password = (String) token.getCredentials(); // retrieve the password
System.out.println("username="+username+" password="+password);
flag = //autheticate logic
if(flag) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("ROLE_ONE"));
authorities.add(new SimpleGrantedAuthority("ROLE_TWO"));
return new UsernamePasswordAuthenticationToken(username, password, authorities);
}
else
throw new BadCredentialsException("401");
}
public boolean supports(Class<?> object) {
return object.equals(UsernamePasswordAuthenticationToken.class);
}
}
Controller :
Below is the controller configuration
#RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView login(#RequestParam(name="msg",required=false) String message)
{
System.out.println("HomeController.login()"+message);
return new ModelAndView("login","message",message);
}
login.jsp
<form id='loginForm' method='GET' action='./login'>
<div class="login">
<div id='errorMsg' class="hide alert alert-danger" role="alert"><strong><i class='fa fa-warning'></i>
<span id='errorTitle'></span></strong><span id='errorText'></span>
</div>
<div class="form-group">
<label for='txtUserName' class="UsernamePassword">Username:</label>
<input name="username" type="email" class="form-control" value="" id="txtUserName" maxlength="100" />
</div>
<div class="form-group">
<label for='txtPassword' class="UsernamePassword">Password:</label>
<input value='' name="password" class="form-control" type="password" id="txtPassword" maxlength="100" />
</div>
<div class="form-group">
<label>
<input checked type="checkbox" name="RememberMe" id="checkboxRememberMe"/> Remember My Information
</label>
</div>
<c:if test="${param.error != null}">
<div class="alert alert-danger">
<p>Invalid username and password.</p>
</div>
</c:if>
<c:if test="${param.logout != null}">
<div class="alert alert-success">
<p>You have been logged out successfully.</p>
</div>
</c:if>
<div>
<p>${message}</p>
</div>
<div>
<button id="btnLogin" class="btnBlue" style='width:100% !important' type='submit'>Login</button>
</div>
<div class="usernamePassword">
<a href="#" onclick='forgotPassword()'>I forgot my username/password</a>
</div>
</div>
</form>
It's really important that the "/login?msg=Bad Credentials" is added to an authorizeRequests() section otherwise the controller won't pick up the error parameter.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/resources/**","/rest/**,/login*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler(authHandler)
.failureHandler(authFailureHandler)
.usernameParameter("username").passwordParameter("password")
.permitAll()
.and().csrf().disable();
}
Try this config :
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")

JavaConfiguration for Spring 4.0 + Security 3.2 + j_spring_security_check

Create a login page
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>Test</title>
<script src="static/js/jquery-1.10.2.min.js"></script>
<script src="static/js/app-controller.js"></script>
</head>
<body>
<div>Login</div>
<form name="f" action="<c:url value="/j_spring_security_check"/>" method="POST">
<label for="password">Username</label> <input type="text" id="j_username" name="j_username"><br/>
<label for="password">Password</label> <input type="password" id="j_password" name="j_password"><br/>
<input type="submit" value="Validate"> <input name="reset" type="reset">
<input type="hidden" id="${_csrf.parameterName}" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<hr/>
<c:if test="${param.error != null}">
<div>
Failed to login.
<c:if test="${SPRING_SECURITY_LAST_EXCEPTION != null}">
Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
</c:if>
</div>
</c:if>
<hr/>
<input type="button" value="Echo" id="echo" name="echo" onclick="AppController.echo();">
<div id="echoContainer"></div>
</body>
</html>
Declare a WebSecurityConfigurer HERE IS WHERE I WAS MISSING j_username AND j_password
#Configuration
#EnableWebSecurity
#ComponentScan(basePackages = {"com.sample.init.security"})
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
#Inject
private AuthenticationProvider authenticationProvider;
#Inject
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(
"/resources/**",
"/static/**",
"/j_spring_security_check",
"/AppController/echo.html").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.usernameParameter("j_username") /* BY DEFAULT IS username!!! */
.passwordParameter("j_password") /* BY DEFAULT IS password!!! */
.loginProcessingUrl("/j_spring_security_check")
.loginPage("/")
.defaultSuccessUrl("/page")
.permitAll()
.and()
.logout()
.permitAll();
}
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/static/**");
}
}
Declare a WebMvcConfigurer
#EnableWebMvc
#Configuration
#ComponentScan(basePackages = {
"com.app.controller",
"com.app.service",
"com.app.dao"
})
public class WebMvcConfigurer extends WebMvcConfigurerAdapter {
#Bean
public ViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setPrefix("/WEB-INF/view/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/page").setViewName("page");
}
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("static/**").addResourceLocations("static/");
}
}
Declare a Security Initializer
public class SecurityWebAppInitializer
extends AbstractSecurityWebApplicationInitializer { }
Declare an App Initialzer
public class Initializer extends AbstractAnnotationConfigDispatcherServletInitializer {
#Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[]{WebSecurityConfigurer.class};
}
#Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[]{WebMvcConfigurer.class, DataSourceConfigurer.class};
}
#Override
protected String[] getServletMappings() {
return new String[]{"/"};
}
}
Implement your custom Authentication Provider
#Component
#ComponentScan(basePackages = {"com.app.service"})
public class CustomAuthenticationProvider implements AuthenticationProvider {
private static final Logger LOG = LoggerFactory.getLogger(CustomAuthenticationProvider.class);
#Inject
private AppService service;
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
//Thread.dumpStack();
String username = authentication.getName();
String password = authentication.getCredentials().toString();
String message = String.format("Username: '%s' Password: '%s'", username, password);
UserBean userBean = service.validate(username, password);
LOG.debug(message);
if (userBean != null) {
List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("USER"));
return new UsernamePasswordAuthenticationToken(userBean, authentication, grantedAuths);
} else {
String error = String.format("Invalid credentials [%s]", message);
throw new BadCredentialsException(error);
}
}
#Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
I am skipping EchoController, AppService, AppDao and UserBean.
Thanks.
In 3.2 version post parameters have changed from j_username to username and j_password to password. The login url has also changed from /j_spring_security_check to /login.
See this link for the explanation of why this change was implemented: http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#jc-httpsecurity. These are the changes:
GET /login renders the login page instead of /spring_security_login
POST /login authenticates the user instead of /j_spring_security_check
The username parameter defaults to username instead of j_username
The password parameter defaults to password instead of j_password
And this for an example of a login form: http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#jc-form

Resources