Note:The example is for CSRF disabled
- From the above diagram you can see JSESSIONID and HttpStatus.OK is send is response once the credentials are authenticated
- JSESSIONID would be used for Subsequent request
- In the below code we define URL for login and logout.
.formLogin() .loginPage("/login").permitAll().usernameParameter("username").passwordParameter("password") .defaultSuccessUrl("/test", true) .and() .rememberMe() .and() .logout().logoutUrl("/logout").clearAuthentication(true).invalidateHttpSession(true).deleteCookies("JSESSIONID", "remember-me") .logoutSuccessUrl("/login") - usernameParameter and passwordParameter is the name of the input form element as given in html
- defaultSuccessUrl tells the default page after authentication
- rememberMe allows the User to remember the session in server. The default JSESSIONID time is 30 minutes of inactivity. remember-me session would be active for 2 weeks and allows user to access page for 2 weeks
- logout is similar to login with following
.logout().logoutUrl("/logout") .clearAuthentication(true) .invalidateHttpSession(true) .deleteCookies("JSESSIONID", "remember-me") .logoutSuccessUrl("/login")
JSESSIONID and remember-me as seen in cookie in response after login button clicked
JSESSIONID and remember-me cookie deleted in response after logout button clicked
login.html
<body>
<div class="container">
<form class="form-signin" method="post" action="/login">
<table cellpadding="3" cellspacing="3" border="1px solid black" style="border-collapse: collapse">
<tr>
<td><label for="username" class="sr-only">Username</label></td>
<td><input type="text" id="username" name="username" class="form-control" placeholder="Username" required=""
autofocus=""></td>
</tr>
<tr>
<td><label for="password" class="sr-only">Password</label></td>
<td><input type="password" id="password" name="password" class="form-control" placeholder="Password"
required=""></td>
</tr>
<tr>
<td><label for="remember-me" class="sr-only">Remember Me?</label></td>
<td><input type="checkbox" id="remember-me" name="remember-me" class="form-control"></td>
</tr>
<tr>
<td colspan="2" align="center"><button class="btn btn-lg btn-primary btn-block" type="submit">Login</button></td>
</tr>
</table>
</form>
</div>
</body>
test.html
You have been Logged In
<form class="form-signin" method="get" action="/logout">
<button class="btn btn-lg btn-primary btn-block" type="submit">Logout</button>
</form>
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception{
httpSecurity
.csrf().disable()
.authorizeRequests()
.antMatchers("/", "index", "/css/*", "/js/*").permitAll()
.antMatchers("/api/**").hasRole("ADMIN")
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll().usernameParameter("username").passwordParameter("password")
.defaultSuccessUrl("/test", true)
.and()
.rememberMe()
.and()
.logout().logoutUrl("/logout").clearAuthentication(true).invalidateHttpSession(true).deleteCookies("JSESSIONID", "remember-me")
.logoutSuccessUrl("/login");
}