What is Form-based login configuration in Spring Boot?

Spring Bootframework~5 mins

Form-based login configuration in Spring Boot

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Form-based login lets users enter their username and password on a webpage to access a secure area. It makes login easy and user-friendly.

You want users to log in through a custom webpage instead of a browser popup.

You need to control the look and feel of the login page to match your website.

You want to handle login errors and messages on the same page.

You want to add extra fields or steps during login.

You want to secure parts of your Spring Boot app behind a login form.

Syntax

Spring Boot

http
  .formLogin()
    .loginPage("/login")
    .defaultSuccessUrl("/home")
    .failureUrl("/login?error")
    .permitAll()

formLogin() enables form-based login in Spring Security.

loginPage() sets the URL of your custom login page.

Examples

Enables default form login with Spring Security's built-in login page.

Spring Boot

http
  .formLogin()

Uses a custom login page at /custom-login and allows everyone to access it.

Spring Boot

http
  .formLogin()
    .loginPage("/custom-login")
    .permitAll()

Custom login page with redirect on success and failure URLs.

Spring Boot

http
  .formLogin()
    .loginPage("/login")
    .defaultSuccessUrl("/dashboard")
    .failureUrl("/login?error")
    .permitAll()

Sample Program

This example shows how to configure Spring Security to use a custom login page at /login. The SecurityConfig class sets up the form login with success and failure URLs. The LoginController serves the login page. The login form posts credentials to /login for authentication.

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class LoginController {

    @GetMapping("/login")
    public String login() {
        return "login"; // returns login.html view
    }
}

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/login", "/css/**").permitAll()
                .anyRequest().authenticated()
            )
            .formLogin(form -> form
                .loginPage("/login")
                .defaultSuccessUrl("/home", true)
                .failureUrl("/login?error")
                .permitAll()
            );
        return http.build();
    }
}

// login.html (Thymeleaf template example)
// <html>
// <body>
// <form action="/login" method="post">
//   <label for="username">Username:</label>
//   <input type="text" id="username" name="username" />
//   <label for="password">Password:</label>
//   <input type="password" id="password" name="password" />
//   <button type="submit">Log In</button>
//   <div th:if="${param.error}">Invalid username or password.</div>
// </form>
// </body>
// </html>

OutputSuccess

Important Notes

Always allow everyone to access the login page using permitAll() so users can reach it.

Use defaultSuccessUrl with true as second argument to always redirect after login.

Customize the login page HTML to improve user experience and accessibility.

Summary

Form-based login lets users sign in via a webpage you control.

Configure it in Spring Security with formLogin() and set your login page URL.

Handle success and failure redirects to guide users after login attempts.