my question is:
I configure with spring security a login page and it works great in localhost but when i deploy the .war in the amazon elastic web service (tomcat) no longer works.
When I insert the correct username and password spring always return me error and doesn't do the login, as if the data were wrong.
Doing research online I saw that it's probably a problem with https certificates.
Below the code:
Controller:
#RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView login(HttpSession session, #RequestParam(value = "error", required = false) boolean error) {
ModelAndView model = new ModelAndView();
if (error) {
model.addObject("error", "Wrong Data!");
model.setViewName("Login");
return model;
}
model.setViewName("Login");
return model;
}
login.jsp
<form:form action="login" method="post">
<div align="center"><label>${error}</label></div>
<div align="center"><label>User Name: </label><input type="text" name="username" /></div>
<div align="center"><label>Password: </label><input type="password" name="password" /></div>
<div align="center"><input type="submit" class="button" value="Login" /></div>
</form:form>
Security config
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery("SELECT username,password,1 FROM user_model where username=?")
.authoritiesByUsernameQuery("SELECT username,ruolo FROM user_model JOIN ruolo_model ON user_model.ruolo_id=ruolo_model.id where username=?");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/successLogin")
.failureUrl("/login?error=true")
.and()
.csrf().disable();
http.portMapper().http(80).mapsTo(443);
}
I add "http.portMapper().http(80).mapsTo(443)" for test but not work.
After login he always sends me to "/login?error=true".
Thanks to all!
Alessandro
Related
I am trying to implement the form login in spring security and the configuration is following.
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("amit").password(PasswordEncoderFactories.createDelegatingPasswordEncoder().encode("password"))
.authorities("ROLE_USER");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.addFilter(getAuthenticationFilter())
.formLogin(formLoginConfigurer ->{
formLoginConfigurer
.loginPage("/api/authentication/login")
.defaultSuccessUrl("/api/loginSuccess")
.failureForwardUrl("/api/loginFailed")
.loginProcessingUrl("/api/login")
.permitAll();
});
}
private Filter getAuthenticationFilter() throws Exception{
return new AuthorizationFilter(authenticationManager());
}
}
The AuthFilter
public class AuthorizationFilter extends UsernamePasswordAuthenticationFilter{
public AuthorizationFilter(AuthenticationManager auth) {
super.setAuthenticationManager(auth);
}
#Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException {
String username= obtainPassword(request);
String password = obtainPassword(request);
System.out.println("username : "+username +" and password : "+password);
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
return this.getAuthenticationManager().authenticate(authRequest);
}
}
I am getting the form on http://localhost:8080/api/authentication/login but when I submit nothing happens. I mean when you click on submit button nothing happens and you stay on the same page. In fact the request was never sent to the server at /login path to process the request!
The Controller
#Controller
#RequestMapping("/api")
public class HomeController {
#ResponseBody
#GetMapping
public String statusCheck() {
return "service is up and running :)";
}
#GetMapping("/authentication/login")
public String returnLoginForm() {
return "login";
}
#GetMapping("/loginSuccess")
public String successLogin() {
return "You are successfully logged in";
}
#GetMapping("/loginFailed")
public String failedLogin() {
return "Incorrect username or password";
}
If you want to see my form so there you go:
<html>
<head></head>
<body>
<h1>Login</h1>
<form name='f' action="login" method='POST'>
<table>
<tr>
<td>User:</td>
<td><input type='text' name='username' value=''></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td><input name="submit" type="submit" value="submit" /></td>
</tr>
</table>
</form>
</body>
</html>
Any ideas?
I am writing a form based OAUTH authentication for Getting The Authorization Code.It was supposed to have a "authorization decision Page" after the Resource Server asks the Resource Owner to authenticate itself and as for authorization to share data.
Below are the server side configs
Authorization Server
#Configuration
#EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
#Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("javainuse").secret("{noop}secret").authorizedGrantTypes("authorization_code")
.scopes("read").authorities("CLIENT");
}
}
WebSecurity Configurer
#Configuration
#EnableWebSecurity
public class EmployeeSecurityConfiguration extends WebSecurityConfigurerAdapter {
#Bean
#Override
public AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
#Autowired
private BCryptPasswordEncoder passwordEncoder;
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/user/getEmployeesList")
.hasAnyRole("ADMIN").anyRequest().authenticated().and().formLogin()
.permitAll().and().logout().permitAll();
http.csrf().disable();
}
#Override
public void configure(AuthenticationManagerBuilder authenticationMgr) throws Exception {
authenticationMgr.inMemoryAuthentication().withUser("admin").password(passwordEncoder.encode("admin"))
.authorities("ROLE_ADMIN");
}
}
Below are the client side configs
Controller
#Controller
public class EmployeeController {
#RequestMapping(value = "/getEmployees", method = RequestMethod.GET)
public ModelAndView getEmployeeInfo() {
return new ModelAndView("getEmployees");
}
#RequestMapping(value = "/showEmployees", method = RequestMethod.GET)
public String getEmployeeInfo1() {
return "showEmployees";
}
}
getEmployees.jsp
<%#taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Add Employee</title>
</head>
<body>
<h3 style="color: red;">Add New Employee</h3>
<div id="addEmployee">
<form:form action="http://localhost:8081/oauth/authorize"
method="post" modelAttribute="emp">
<p>
<label>Enter Employee Id</label>
<input type="text" name="response_type" value="code" />
<input type="text" name="client_id" value="javainuse" />
<input type="text" name="redirect_uri" value="http://localhost:8090/showEmployees" />
<input type="text" name="scope" value="read" />
<input type="SUBMIT" value="Get Employee info" />
</form:form>
</div>
</body>
</html>
After providing login details on login prompt
i provided the details, after it should have provided me prompt at http://localhost:8081/oauth/authorize
it is giving me info on logs
INFO AuthorizationEndpoint : Handling OAuth2 error: error="invalid_request", error_description="At least one redirect_uri must be registered with the client."
any help is really appreciated, not sure where i'm doing wrong.
I'm using Spring Boot 2.0.2.RELEASE.
The redirect_uri value http://localhost:8090/showEmployees which is given in the input tag is also needs to be mapped in Authorization Server configuration above, so
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("javainuse").secret("secret").authorizedGrantTypes("authorization_code")
.scopes("read").authorities("CLIENT").redirectUris("http://localhost:8090/showEmployees");
}
adding redirect URL in ClientDetailsServiceConfigurer will work.
I am trying to test my web api thats secured using the standard Spring Security API. I have implemented my own User authentication service by implementing UserDetailService. However whenever I login to my application the /login api keeps returning a 302 redirect. I verified that my login page is working correctly by manually testing both good credentials and bad credentials and it did properly authenticate correctly to the homepage depending on whether the credentials were good, however it still returned a 302 for /login. Im wondering why Spring/Thymeleaf is returning a 302 redirect when performing the /login request. This is preventing my ability to test any of my guarded endpoints when locked down with spring security.
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private UserDetailsService userDetailsService;
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder();
}
#Bean
public JwtTokenFilter jwtTokenFilter() {
return new JwtTokenFilter();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.cors()
.and()
.authorizeRequests().antMatchers("/profiles/**","/img/**","/resources","/v2/**","/users", "/login", "/error/**", "/keepalive", "/register").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
.defaultSuccessUrl("/")
.permitAll()
.and()
.logout();
http.addFilterBefore(jwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
#Bean
public CorsConfigurationSource corsConfigurationSource() {
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(asList("*"));
configuration.setAllowedMethods(asList("HEAD",
"GET", "POST", "PUT", "DELETE", "PATCH"));
// setAllowCredentials(true) is important, otherwise:
// The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
configuration.setAllowCredentials(true);
// setAllowedHeaders is important! Without it, OPTIONS preflight request
// will fail with 403 Invalid CORS request
configuration.setAllowedHeaders(asList("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
}
Login.html Page
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
>
<head>
<title>Login</title>
<div th:replace="fragments/header :: header-css"/>
</head>
<body class="white-bg">
<div th:replace="fragments/header :: header"/>
<div class="middle-box text-center loginscreen">
<div>
<div>
<h1 class="logo-name"></h1>
</div>
<h3>Welcome to </h3>
<p>Login in. To see it in action.</p>
<form th:action="#{/login}" method="post">
<fieldset>
<div th:if="${param.error}">
<div class="alert alert-danger">
Invalid username and password.
</div>
</div>
<div th:if="${param.logout}">
<div class="alert alert-info">
You have been logged out.
</div>
</div>
<div class="form-group">
<input type="text" name="username" id="username" class="form-control"
placeholder="UserName" required="true" autofocus="true"/>
</div>
<div class="form-group">
<input type="password" name="password" id="password" class="form-control"
placeholder="Password" required="true"/>
</div>
<input type="submit" class="btn btn-lg btn-primary btn-block" value="Sign In"/>
<small>Forgot password?</small>
<p class="text-muted text-center"><small>Do not have an account?</small></p>
<a class="btn btn-sm btn-white btn-block" href="register.html">Create an account</a>
</fieldset>
</form>
<p class="m-t"> <small>DigiProof Company © 2017</small> </p>
</div>
</div>
BaseController.java for routing
#Controller
public class BaseController {
#Autowired
private UserService userService;
#GetMapping("/")
public String homeMain() {
return "home";
}
#GetMapping("/home")
public String home() {
return "home";
}
#GetMapping("/login")
public String login(Principal principal) {
if (principal!=null && ((Authentication)principal).isAuthenticated())
return "redirect:/home";
else
return "login";
}
#RequestMapping(value="/registration", method = RequestMethod.GET)
public ModelAndView registration(){
ModelAndView modelAndView = new ModelAndView();
User user = new User();
modelAndView.addObject("user", user);
modelAndView.setViewName("register");
return modelAndView;
}
#RequestMapping(value = "/registration", method = RequestMethod.POST)
public ModelAndView createNewUser(#Valid User user, BindingResult bindingResult) {
ModelAndView modelAndView = new ModelAndView();
User userByEmailExists = userService.findUserByEmail(user.getEmail());
if (userByEmailExists != null) {
bindingResult
.rejectValue("email", "error.user",
"There is already a user registered with the email provided");
}
if (bindingResult.hasErrors()) {
modelAndView.setViewName("register");
} else {
userService.save(user);
modelAndView.addObject("successMessage", "User has been registered successfully");
modelAndView.addObject("user", new User());
modelAndView.setViewName("register");
}
return modelAndView;
}
#GetMapping("/profile")
public String profile() {
return "profile";
}
#GetMapping("/activity")
public String activity() {
return "activity";
}
#GetMapping("/teams")
public String teams() {
return "teams";
}
#GetMapping("/404")
public String error404() {
return "/error/403";
}
#GetMapping("/403")
public String error403() {
return "/error/403";
}
#GetMapping("/500")
public String error500() {
return "/error/500";
}
#GetMapping("/error")
public String error() {
return "/error/500";
}
}
spring security formLogin default intercept the "/login" request, i find that your login page url is "/login" which is conflict with this filter. you can define your login page url like this:
.formLogin()
.loginPage("/page/login.html").permitAll()
and change then controller mapping from login --> /page/login
try to disable csrf
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
}
This question already has answers here:
Authentication failure redirect with request params not working
(3 answers)
Closed 5 years ago.
I have configured spring security for my web application, Implemented custom authentication handler to authenticate the user details.
Its working as expected when authentication is success ,when authentication fails its invoking custom authentication failure handler redirecting error page(in my case login page with error message) after that again it's redirecting to login page(without message)
Below is my configuration (Let me know what's wrong here)
#Configuration
#EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
#Autowired
private CustomAuthenticationProvider authProvider;
#Autowired
private AuthSuccessHandler authHandler;
#Autowired
private AuthFailureHandler authFailureHandler;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/resources/**","/rest/**")
.permitAll().anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler(authHandler)
.failureHandler(authFailureHandler)
.usernameParameter("username").passwordParameter("password")
.permitAll()
.and().csrf().disable();
}
#Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authProvider);
}
}
Success Handler
#Component
public class AuthSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
#Override
protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
redirectStrategy.sendRedirect(request, response, "/home");
}
}
Failure Handler
#Component
public class AuthFailureHandler extends SimpleUrlAuthenticationFailureHandler{
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
#Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
throws IOException, ServletException {
System.out.println("AuthFailureHandler.onAuthenticationFailure()");
redirectStrategy.sendRedirect(request, response, "/login?msg=Bad Credentials");
}
}
Custom Authentication Provider
#Component
public class CustomAuthenticationProvider implements AuthenticationProvider
{
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication;
String username = (String)token.getPrincipal();
String password = (String) token.getCredentials(); // retrieve the password
System.out.println("username="+username+" password="+password);
flag = //autheticate logic
if(flag) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("ROLE_ONE"));
authorities.add(new SimpleGrantedAuthority("ROLE_TWO"));
return new UsernamePasswordAuthenticationToken(username, password, authorities);
}
else
throw new BadCredentialsException("401");
}
public boolean supports(Class<?> object) {
return object.equals(UsernamePasswordAuthenticationToken.class);
}
}
Controller :
Below is the controller configuration
#RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView login(#RequestParam(name="msg",required=false) String message)
{
System.out.println("HomeController.login()"+message);
return new ModelAndView("login","message",message);
}
login.jsp
<form id='loginForm' method='GET' action='./login'>
<div class="login">
<div id='errorMsg' class="hide alert alert-danger" role="alert"><strong><i class='fa fa-warning'></i>
<span id='errorTitle'></span></strong><span id='errorText'></span>
</div>
<div class="form-group">
<label for='txtUserName' class="UsernamePassword">Username:</label>
<input name="username" type="email" class="form-control" value="" id="txtUserName" maxlength="100" />
</div>
<div class="form-group">
<label for='txtPassword' class="UsernamePassword">Password:</label>
<input value='' name="password" class="form-control" type="password" id="txtPassword" maxlength="100" />
</div>
<div class="form-group">
<label>
<input checked type="checkbox" name="RememberMe" id="checkboxRememberMe"/> Remember My Information
</label>
</div>
<c:if test="${param.error != null}">
<div class="alert alert-danger">
<p>Invalid username and password.</p>
</div>
</c:if>
<c:if test="${param.logout != null}">
<div class="alert alert-success">
<p>You have been logged out successfully.</p>
</div>
</c:if>
<div>
<p>${message}</p>
</div>
<div>
<button id="btnLogin" class="btnBlue" style='width:100% !important' type='submit'>Login</button>
</div>
<div class="usernamePassword">
<a href="#" onclick='forgotPassword()'>I forgot my username/password</a>
</div>
</div>
</form>
It's really important that the "/login?msg=Bad Credentials" is added to an authorizeRequests() section otherwise the controller won't pick up the error parameter.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/resources/**","/rest/**,/login*").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler(authHandler)
.failureHandler(authFailureHandler)
.usernameParameter("username").passwordParameter("password")
.permitAll()
.and().csrf().disable();
}
Try this config :
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
Create a login page
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html>
<html>
<head>
<meta charset="ISO-8859-1">
<title>Test</title>
<script src="static/js/jquery-1.10.2.min.js"></script>
<script src="static/js/app-controller.js"></script>
</head>
<body>
<div>Login</div>
<form name="f" action="<c:url value="/j_spring_security_check"/>" method="POST">
<label for="password">Username</label> <input type="text" id="j_username" name="j_username"><br/>
<label for="password">Password</label> <input type="password" id="j_password" name="j_password"><br/>
<input type="submit" value="Validate"> <input name="reset" type="reset">
<input type="hidden" id="${_csrf.parameterName}" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<hr/>
<c:if test="${param.error != null}">
<div>
Failed to login.
<c:if test="${SPRING_SECURITY_LAST_EXCEPTION != null}">
Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
</c:if>
</div>
</c:if>
<hr/>
<input type="button" value="Echo" id="echo" name="echo" onclick="AppController.echo();">
<div id="echoContainer"></div>
</body>
</html>
Declare a WebSecurityConfigurer HERE IS WHERE I WAS MISSING j_username AND j_password
#Configuration
#EnableWebSecurity
#ComponentScan(basePackages = {"com.sample.init.security"})
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
#Inject
private AuthenticationProvider authenticationProvider;
#Inject
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(
"/resources/**",
"/static/**",
"/j_spring_security_check",
"/AppController/echo.html").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.usernameParameter("j_username") /* BY DEFAULT IS username!!! */
.passwordParameter("j_password") /* BY DEFAULT IS password!!! */
.loginProcessingUrl("/j_spring_security_check")
.loginPage("/")
.defaultSuccessUrl("/page")
.permitAll()
.and()
.logout()
.permitAll();
}
#Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/static/**");
}
}
Declare a WebMvcConfigurer
#EnableWebMvc
#Configuration
#ComponentScan(basePackages = {
"com.app.controller",
"com.app.service",
"com.app.dao"
})
public class WebMvcConfigurer extends WebMvcConfigurerAdapter {
#Bean
public ViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setPrefix("/WEB-INF/view/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/page").setViewName("page");
}
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("static/**").addResourceLocations("static/");
}
}
Declare a Security Initializer
public class SecurityWebAppInitializer
extends AbstractSecurityWebApplicationInitializer { }
Declare an App Initialzer
public class Initializer extends AbstractAnnotationConfigDispatcherServletInitializer {
#Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[]{WebSecurityConfigurer.class};
}
#Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[]{WebMvcConfigurer.class, DataSourceConfigurer.class};
}
#Override
protected String[] getServletMappings() {
return new String[]{"/"};
}
}
Implement your custom Authentication Provider
#Component
#ComponentScan(basePackages = {"com.app.service"})
public class CustomAuthenticationProvider implements AuthenticationProvider {
private static final Logger LOG = LoggerFactory.getLogger(CustomAuthenticationProvider.class);
#Inject
private AppService service;
#Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
//Thread.dumpStack();
String username = authentication.getName();
String password = authentication.getCredentials().toString();
String message = String.format("Username: '%s' Password: '%s'", username, password);
UserBean userBean = service.validate(username, password);
LOG.debug(message);
if (userBean != null) {
List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("USER"));
return new UsernamePasswordAuthenticationToken(userBean, authentication, grantedAuths);
} else {
String error = String.format("Invalid credentials [%s]", message);
throw new BadCredentialsException(error);
}
}
#Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
I am skipping EchoController, AppService, AppDao and UserBean.
Thanks.
In 3.2 version post parameters have changed from j_username to username and j_password to password. The login url has also changed from /j_spring_security_check to /login.
See this link for the explanation of why this change was implemented: http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#jc-httpsecurity. These are the changes:
GET /login renders the login page instead of /spring_security_login
POST /login authenticates the user instead of /j_spring_security_check
The username parameter defaults to username instead of j_username
The password parameter defaults to password instead of j_password
And this for an example of a login form: http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#jc-form