Customizing Spring Security FormLogin Authentication

In the previous article we introduced the simple HttpBasic authentication mode; this article explains how to use Spring Security's FormLogin mode to create a fully customizable login page and authentication flow.

1. Create a demo project named spring-security-02 and add the spring-boot-starter-security dependency (additional web and thymeleaf dependencies are also required):

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

The project structure is shown in the following diagram:

2. Create a custom login page . The page must contain three parameters that Spring Security will read: action: the URL that processes the login request. username: the field name for the username. password: the field name for the password.

The page layout is illustrated below:

3. Create a home page that will be displayed after a successful login:

4. Define two test endpoints ( /hello1 and /hello2) to demonstrate resource protection:

5. Configure FormLogin . The configuration consists of two parts: the formLogin block (login URL, parameters, success/failure handling) and the authorizeRequests block (access rules). The full configuration code is shown below:

In the formLogin section we set: .loginPage("/login/page") – the custom login page. .loginProcessingUrl("/login") – the URL that processes the credentials. .usernameParameter("username") and .passwordParameter("password") – the request parameter names. .defaultSuccessUrl("/") – the page to redirect to after a successful login. .failureUrl("/login/page") – the page to redirect to after a failed login.

The authorizeRequests section defines the access rules: .antMatchers("/login/page","/login").permitAll() – allow unauthenticated access to the login page and processing URL.

.antMatchers("/","/hello1").hasAnyAuthority("ROLE_user","ROLE_admin")

– only users with user or admin roles can access the home page and /hello1. .antMatchers("/hello2").hasAnyRole("admin") – only the admin role can access /hello2. .anyRequest().authenticated() – all other requests require authentication.

6. Define users and roles using in‑memory authentication. Two users are created: user (password 123456, role USER) and admin (password 123456, roles USER and ADMIN). The password is encoded with BCryptPasswordEncoder:

7. Simple test . Accessing http://localhost:8081/hello2 redirects to the login page; logging in as admin succeeds, while logging in as user results in a 403 error.

If the credentials are wrong, the configured .failureUrl("/login/page") sends the user back to the login page.

8. Custom login results . Instead of the default URL redirects, we can implement custom AuthenticationSuccessHandler and AuthenticationFailureHandler. The success handler can extend SavedRequestAwareAuthenticationSuccessHandler to redirect users to the resource they originally requested; the failure handler can extend SimpleUrlAuthenticationFailureHandler to control the failure response.

The custom handlers are then injected into the security configuration:

Note that when using custom handlers you should not also configure defaultSuccessUrl or failureUrl, otherwise the handlers will be ignored.

Summary . This article covered the complete setup of Spring Security's FormLogin mode, including project creation, custom login page, security rule configuration, user/role definition, and testing. It also introduced how to replace the default URL‑based success/failure handling with custom handlers; future articles will discuss JSON‑based responses for front‑end/back‑end separation.