Bird
Raised Fist0
Spring Bootframework~5 mins

Form-based login configuration in Spring Boot

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Form-based login lets users enter their username and password on a webpage to access a secure area. It makes login easy and user-friendly.

You want users to log in through a custom webpage instead of a browser popup.
You need to control the look and feel of the login page to match your website.
You want to handle login errors and messages on the same page.
You want to add extra fields or steps during login.
You want to secure parts of your Spring Boot app behind a login form.
Syntax
Spring Boot
http
  .formLogin()
    .loginPage("/login")
    .defaultSuccessUrl("/home")
    .failureUrl("/login?error")
    .permitAll()

formLogin() enables form-based login in Spring Security.

loginPage() sets the URL of your custom login page.

Examples
Enables default form login with Spring Security's built-in login page.
Spring Boot
http
  .formLogin()
Uses a custom login page at /custom-login and allows everyone to access it.
Spring Boot
http
  .formLogin()
    .loginPage("/custom-login")
    .permitAll()
Custom login page with redirect on success and failure URLs.
Spring Boot
http
  .formLogin()
    .loginPage("/login")
    .defaultSuccessUrl("/dashboard")
    .failureUrl("/login?error")
    .permitAll()
Sample Program

This example shows how to configure Spring Security to use a custom login page at /login. The SecurityConfig class sets up the form login with success and failure URLs. The LoginController serves the login page. The login form posts credentials to /login for authentication.

Spring Boot
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class LoginController {

    @GetMapping("/login")
    public String login() {
        return "login"; // returns login.html view
    }
}

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/login", "/css/**").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(form -> form
                .loginPage("/login")
                .defaultSuccessUrl("/home", true)
                .failureUrl("/login?error")
                .permitAll()
            );
        return http.build();
    }
}

// login.html (Thymeleaf template example)
// <html>
// <body>
// <form action="/login" method="post">
//   <label for="username">Username:</label>
//   <input type="text" id="username" name="username" />
//   <label for="password">Password:</label>
//   <input type="password" id="password" name="password" />
//   <button type="submit">Log In</button>
//   <div th:if="${param.error}">Invalid username or password.</div>
// </form>
// </body>
// </html>
OutputSuccess
Important Notes

Always allow everyone to access the login page using permitAll() so users can reach it.

Use defaultSuccessUrl with true as second argument to always redirect after login.

Customize the login page HTML to improve user experience and accessibility.

Summary

Form-based login lets users sign in via a webpage you control.

Configure it in Spring Security with formLogin() and set your login page URL.

Handle success and failure redirects to guide users after login attempts.

Practice

(1/5)
1. What is the main purpose of formLogin() in Spring Security?
easy
A. To enable form-based login for user authentication
B. To disable all login methods
C. To configure database connections
D. To set up REST API endpoints

Solution

  1. Step 1: Understand formLogin() role

    The formLogin() method in Spring Security enables users to log in using a web form.

  2. Step 2: Compare with other options

    Other options like disabling login or configuring database are unrelated to formLogin().

  3. Final Answer:

    To enable form-based login for user authentication -> Option A

  4. Quick Check:

    formLogin() enables form login [OK]
Hint: Remember formLogin() means login via web form [OK]
Common Mistakes:
  • Confusing formLogin() with database setup
  • Thinking formLogin() disables login
  • Mixing formLogin() with API configuration
2. Which of the following is the correct way to customize the login page URL in Spring Security?
easy
A. http.formLogin().loginPath("/custom-login")
B. http.formLogin().loginPage("/custom-login")
C. http.formLogin().pageUrl("/custom-login")
D. http.formLogin().setLoginUrl("/custom-login")

Solution

  1. Step 1: Identify correct method for login page URL

    The method to set a custom login page URL is loginPage() used after formLogin().

  2. Step 2: Verify syntax correctness

    Only http.formLogin().loginPage("/custom-login") uses the correct method name and syntax: loginPage("/custom-login").

  3. Final Answer:

    http.formLogin().loginPage("/custom-login") -> Option B

  4. Quick Check:

    loginPage() sets custom login URL [OK]
Hint: Use loginPage() to set custom login URL [OK]
Common Mistakes:
  • Using incorrect method names like setLoginUrl()
  • Confusing loginPage() with other methods
  • Missing parentheses or quotes
3. Given the following Spring Security configuration snippet, what will be the behavior when a user accesses /login? 
http
  .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
  .formLogin(form -> form.loginPage("/login").permitAll());
medium
A. Users are blocked from accessing /login without authentication
B. Users can access all pages without login
C. Users are redirected to the default login page instead of /login
D. Users see a custom login page at /login and can access it without authentication

Solution

  1. Step 1: Analyze authorizeHttpRequests configuration

    All requests require authentication because of anyRequest().authenticated().

  2. Step 2: Analyze formLogin configuration

    The login page is customized to /login and permitAll() allows everyone to access it without login.

  3. Final Answer:

    Users see a custom login page at /login and can access it without authentication -> Option D

  4. Quick Check:

    Custom login page with permitAll() means public access [OK]
Hint: permitAll() on loginPage() allows public access [OK]
Common Mistakes:
  • Assuming /login requires authentication
  • Thinking default login page is used
  • Ignoring permitAll() effect
4. Identify the error in this Spring Security configuration snippet: 
http
  .formLogin()
  .loginPage("/my-login")
  .permitAll();
medium
A. permitAll() should be called on authorizeHttpRequests, not formLogin
B. loginPage() must be called before formLogin()
C. permitAll() is not a valid method in Spring Security
D. The code is correct and will work as expected

Solution

  1. Step 1: Check method chaining correctness

    In Spring Security, permitAll() is used on authorization rules, not directly on formLogin().

  2. Step 2: Understand correct usage

    To allow public access to the login page, permitAll() should be called on the authorization configuration for the login page URL.

  3. Final Answer:

    permitAll() should be called on authorizeHttpRequests, not formLogin -> Option A

  4. Quick Check:

    permitAll() belongs to authorization, not formLogin [OK]
Hint: permitAll() controls access, use it in authorizeHttpRequests [OK]
Common Mistakes:
  • Calling permitAll() on formLogin()
  • Misplacing loginPage() call
  • Assuming permitAll() is invalid
5. You want to create a Spring Security setup where: - The login page is at /user-login - The login page is accessible without authentication - All other pages require login Which configuration snippet correctly achieves this?
hard
A. http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated()) .formLogin(form -> form.loginPage("/user-login").permitAll());
B. http.formLogin().loginPage("/user-login").permitAll() .authorizeHttpRequests(auth -> auth.anyRequest().authenticated());
C. http.authorizeHttpRequests(auth -> auth.requestMatchers("/user-login").permitAll().anyRequest().authenticated()) .formLogin(form -> form.loginPage("/user-login"));
D. http.authorizeHttpRequests(auth -> auth.anyRequest().permitAll()) .formLogin(form -> form.loginPage("/user-login"));

Solution

  1. Step 1: Permit access to the login page

    Use requestMatchers("/user-login").permitAll() to allow unauthenticated access to the login page.

  2. Step 2: Require authentication for all other requests

    Use anyRequest().authenticated() to protect all other endpoints.

  3. Step 3: Configure form login with custom login page

    formLogin(form -> form.loginPage("/user-login")) sets the custom login page.

  4. Final Answer:

    http.authorizeHttpRequests(auth -> auth.requestMatchers("/user-login").permitAll().anyRequest().authenticated()) .formLogin(form -> form.loginPage("/user-login")); -> Option C

  5. Quick Check:

    Properly permits login page and protects others [OK]
Hint: Explicitly permit login page URL in authorizeHttpRequests [OK]
Common Mistakes:
  • Not permitting the login page URL (option A)
  • Invalid chaining after formLogin.permitAll() (option B)
  • Permitting all requests (option D)