Form based authentication
Form based authentication is the simple approach to protect web pages.
By default Spring security detects the request content type and decide if it should be authenticated by a login form.
For example, there is a HomeController
class.
@Controller
@Slf4j
public class HomeController {
private final PostRepository posts;
HomeController(PostRepository posts) {
this.posts = posts;
}
@GetMapping("/")
public String home(final Model model) {
Flux<Post> postsAll = this.posts.findAll();
model.addAttribute("posts", postsAll);
return "home";
}
}
And the content of the home template file.
<!-- /WEB-INF/templates/home.ftl -->
<!DOCTYPE html>
<html>
<head>
<title>Simple Blog Posts</title>
<meta charset="UTF-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
</head>
<body>
<h1>All posts</h1>
<div>
<table>
<thead>
<tr>
<th> ID</th>
<th>Title </th>
<th>Content</th>
</tr>
</thead>
<tbody>
<#list posts as post>
<tr>
<td>${post.id}</td>
<td>${post.title}</td>
<td>${post.content}</td>
</tr>
<#else>
nothing
</#list>
</tbody>
</table>
</div>
</body>
</html>
Add a simple configuration to protect the home page.
@Configuration
@EnableWebFluxSecurity
class SecurityConfig {
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
return http.authorizeExchange()
.anyExchange().authenticated()
// .and()
// .formLogin()
.and()
.build();
}
//...
}
By default, when accessing the default home URL http://localhost:8080/, the HomeController
will try to handle the request and render the home.flt template into a HTML page, Spring Security will invoke form based authentication to protect web pages.
By default, Spring Security provides a simple login form page. Alternatively you can customize the login form attribute or specify a new login page in the Spring security configuration.
.and().formLogin()...
Source codes: spring-reactive-sample/security-form.