Note:The example is for CSRF disabled

  1. From the above diagram you can see JSESSIONID and HttpStatus.OK is send is response once the credentials are authenticated
  2. JSESSIONID would be used for Subsequent request
  3. In the below code we define URL for login and logout.
    .formLogin()
    .loginPage("/login").permitAll().usernameParameter("username").passwordParameter("password")
    .defaultSuccessUrl("/test", true)
    .and()
    .rememberMe()
    .and()
    .logout().logoutUrl("/logout").clearAuthentication(true).invalidateHttpSession(true).deleteCookies("JSESSIONID", "remember-me")
    .logoutSuccessUrl("/login")			
    
  4. usernameParameter and passwordParameter is the name of the input form element as given in html
  5. defaultSuccessUrl tells the default page after authentication
  6. rememberMe allows the User to remember the session in server. The default JSESSIONID time is 30 minutes of inactivity. remember-me session would be active for 2 weeks and allows user to access page for 2 weeks
  7. logout is similar to login with following
    .logout().logoutUrl("/logout")
    .clearAuthentication(true)
    .invalidateHttpSession(true)
    .deleteCookies("JSESSIONID", "remember-me")
    .logoutSuccessUrl("/login")			
    

JSESSIONID and remember-me as seen in cookie in response after login button clicked

JSESSIONID and remember-me cookie deleted in response after logout button clicked

login.html

<body>
<div class="container">
    <form class="form-signin" method="post" action="/login">
        <table cellpadding="3" cellspacing="3" border="1px solid black" style="border-collapse: collapse">
            <tr>
                <td><label for="username" class="sr-only">Username</label></td>
                <td><input type="text" id="username" name="username" class="form-control" placeholder="Username" required=""
                           autofocus=""></td>
            </tr>
            <tr>
                <td><label for="password" class="sr-only">Password</label></td>
                <td><input type="password" id="password" name="password" class="form-control" placeholder="Password"
                           required=""></td>
            </tr>
            <tr>
                <td><label for="remember-me" class="sr-only">Remember Me?</label></td>
                <td><input type="checkbox" id="remember-me" name="remember-me" class="form-control"></td>
            </tr>
            <tr>
                <td colspan="2" align="center"><button class="btn btn-lg btn-primary btn-block" type="submit">Login</button></td>
            </tr>
        </table>
    </form>
</div>
</body>

test.html

You have been Logged In

<form class="form-signin" method="get" action="/logout">
    <button class="btn btn-lg btn-primary btn-block" type="submit">Logout</button>
</form>
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception{
	httpSecurity
				.csrf().disable()
				.authorizeRequests()
				.antMatchers("/", "index", "/css/*", "/js/*").permitAll()
				.antMatchers("/api/**").hasRole("ADMIN")
				.anyRequest()
				.authenticated()
				.and()
				.formLogin()
				.loginPage("/login").permitAll().usernameParameter("username").passwordParameter("password")
				.defaultSuccessUrl("/test", true)
				.and()
				.rememberMe()
				.and()
				.logout().logoutUrl("/logout").clearAuthentication(true).invalidateHttpSession(true).deleteCookies("JSESSIONID", "remember-me")
				.logoutSuccessUrl("/login");
}

Comments are closed.