I have a homepage with a login dialog on it. With my current spring security config, whenever I access to a protected resource (not logged in yet), e.g '/ticket/list', I was redirected to homepage. I think that the interceptor redirected me to the login URL defined in config file.
The question is:
- Do I understand right? (I'm a beginner with spring security)
- I want to show login dialog if user haven't logged in yet whenever user access protected resource. How can I do that? (I have a simple solution: make an AJAX request to check if user has logged in. But this seem not a good solution.)
Here is my current spring security config file:
<?xml version="1.0" encoding="UTF-8" ?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth"
xsi:schemaLocation="http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/security/oauth
http://www.springframework.org/schema/security/spring-security-oauth.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd">
<http pattern="/resources/**" security="none"/>
<!-- Form and Security Access Configuration -->
<http use-expressions="true" disable-url-rewriting="true" auto-config="false">
<!-- <form-login/> -->
<form-login login-page="/" login-processing-url="/login/perform"/>
<logout logout-success-url="/"/>
<remember-me/>
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/ticket/*" access="isAuthenticated()" />
</http>
<b:bean id="userDetailsService" class="vn.web.security.UserDetailsServiceImpl"/>
<b:bean id="serviceBaseAuthenticationProvider" class="vn.web.security.ServiceBaseAuthenticationProvider"/>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="serviceBaseAuthenticationProvider"/>
</authentication-manager>
Thanks.
What happens is, Spring-Security takes the log in details and passes then to your authentication-provider or user details service, which should attempt to retrieve the user details from your database, or whatever other solution you are using. This should return whatever information is required to allow the user access and being a session, or tell Spring Security that the credentials were incorrect, or even if the user account has been banned.
In the event of a negative case, the key is in this line:
This tells Spring Security which url mapping redirects to your login page. Currently you have this set to the root context, which is generally your home page. If you wanted to redirect to a web page containing only a log in form, you would have to create the jsp for it, add a method in your controller for the mapping and update your spring-security config to match the method url handler in your controller e.g.