In order to use a customized class replacing the UsernamePasswordAuthenticationFilter do the following:
create a new class
FormLoginConfigurer
with the following content (the originalorg.springframework.security.config.annotation.web.configurers.FormLoginConfigurer
is unfortunately final and cannot be extended), notice the call tosuper(new CustomAuthenticationProcessingFilter(),null)
:package demo; import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; public class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractAuthenticationFilterConfigurer<H,FormLoginConfigurer<H>,UsernamePasswordAuthenticationFilter> { public FormLoginConfigurer() { super(new CustomAuthenticationProcessingFilter(),null); usernameParameter("username"); passwordParameter("password"); } public FormLoginConfigurer<H> loginPage(String loginPage) { return super.loginPage(loginPage); } public FormLoginConfigurer<H> usernameParameter(String usernameParameter) { getAuthenticationFilter().setUsernameParameter(usernameParameter); return this; } public FormLoginConfigurer<H> passwordParameter(String passwordParameter) { getAuthenticationFilter().setPasswordParameter(passwordParameter); return this; } @Override public void init(H http) throws Exception { super.init(http); initDefaultLoginFilter(http); } @Override protected RequestMatcher createLoginProcessingUrlMatcher( String loginProcessingUrl) { return new AntPathRequestMatcher(loginProcessingUrl, "POST"); } private String getUsernameParameter() { return getAuthenticationFilter().getUsernameParameter(); } private String getPasswordParameter() { return getAuthenticationFilter().getPasswordParameter(); } private void initDefaultLoginFilter(H http) { DefaultLoginPageGeneratingFilter loginPageGeneratingFilter = http.getSharedObject(DefaultLoginPageGeneratingFilter.class); if(loginPageGeneratingFilter != null && !isCustomLoginPage()) { loginPageGeneratingFilter.setFormLoginEnabled(true); loginPageGeneratingFilter.setUsernameParameter(getUsernameParameter()); loginPageGeneratingFilter.setPasswordParameter(getPasswordParameter()); loginPageGeneratingFilter.setLoginPageUrl(getLoginPage()); loginPageGeneratingFilter.setFailureUrl(getFailureUrl()); loginPageGeneratingFilter.setAuthenticationUrl(getLoginProcessingUrl()); } }
}
remove the
formLogin()
call from yourconfigure(HttpSecurity)
method and use the following initialization instead:FormLoginConfigurer formLogin = new FormLoginConfigurer(); http.apply(formLogin); formLogin.loginPage("/auth/login") .permitAll();
the authentication manager will be provided to your instance automatically
- you can customize the
SessionAuthenticationStrategy
used in your class by calls tohttp.sessionManagement()
, or you can add logic to your newFormLoginConfigurer
which updates whatever you need
Another option is to register your CustomUsernamePasswordAuthenticationFilter
filter as an additional filter:
in the
configure(HttpSecurity http)
method call:http.addFilter(authFilter());
make sure to configure all options of the filter manually
- beware that system will also add another instance of the UsernamePasswordAuthenticationFilter after yours
In order to add a custom AuthenticationProvider
:
override method
configure(AuthenticationManagerBuilder auth)
and add the provider:@Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(customAuthenticationManagerBean()); }