All Articles

Login - Spring Security 2

https://docs.spring.io/spring-security/site/docs/4.1.x/reference/htmlsingle/

Form Login

<-- login.html --!>
<form
  class="needs-validation col-sm-6"
  action="#"
  th:action="@{/login}"
  method="post"
  novalidate
>
  <div class="form-group">
    <label for="username">이메일 또는 닉네임</label>
    <input
      id="username"
      type="text"
      name="username"
      class="form-control"
      placeholder="your@email.com"
      aria-describedby="emailHelp"
      required
    />
    <small id="emailHelp" class="form-text text-muted">
      패스워드가 기억나지 않는다면,
      <a href="#" th:href="@{/email-login}">패스워드 없이 로그인하기</a>
    </small>
    <small class="invalid-feedback">이메일을 입력하세요.</small>
  </div>
  <div class="form-group">
    <label for="password">패스워드</label>
    <input
      id="password"
      type="password"
      name="password"
      class="form-control"
      aria-describedby="passwordHelp"
      required
    />
    <small id="passwordHelp" class="form-text text-muted">
      패스워드가 기억나지 않는다면,
      <a href="#" th:href="@{/email-login}">패스워드 없이 로그인하기</a>
    </small>
    <small class="invalid-feedback">패스워드를 입력하세요.</small>
  </div>
  <div class="form-group form-check">
    <input
      type="checkbox"
      class="form-check-input"
      id="rememberMe"
      name="remember-me"
      checked
    />
    <label
      class="form-check-label"
      for="rememberMe"
      aria-describedby="rememberMeHelp"
      >로그인 유지</label
    >
  </div>
  <div class="form-group">
    <button
      class="btn btn-success btn-block"
      type="submit"
      aria-describedby="submitHelp"
    >
      로그인
    </button>
    <small id="submitHelp" class="form-text text-muted">
      처음 오셨다면 <a hre="#" th:href="@{/sign-up}">계정을 먼저 만드세요</a>
    </small>
  </div>
</form>
  • A POST to the /login URL will attempt to authenticate the user ← Extract the username/password combination from the HTTP Basic Auth header in a filter. You don’t have to do anything for that, it will happen under the hood.
  • Any other request needs the user to be authenticated first, i.e. the user needs to login.
  • You are allowing form login (username/password in a form), with a custom loginPage (/login, i.e. not Spring Security’s auto-generated one). Anyone should be able to access the login page, without having to log in first (permitAll; otherwise we would have a Catch-22!).
  • On top of that, you are also allowing Basic Auth, i.e. sending in an HTTP Basic Auth Header to authenticate.
  • The username must be present as the HTTP parameter named username
  • The password must be present as the HTTP parameter named password

POST to /login

public class AccountService implements UserDetailsService {

     // 1. Load the user from the users table by username. If not found, throw UsernameNotFoundException.
     // 2. Convert/wrap the user to a UserDetails object and return it.

    @Transactional(readOnly = true)
    @Override
    public UserDetails loadUserByUsername(String emailOrNickname) throws UsernameNotFoundException {
        Account account = accountRepository.findByEmail(emailOrNickname);
        if (account == null) {
            account = accountRepository.findByNickname(emailOrNickname);
        }

        if (account == null) {
            throw new UsernameNotFoundException(emailOrNickname);
        }
        return new UserAccount(account);
    }
}

Signup → store users to database table

Login → access to the user (loadUserByUsername(emailOrNickname))

Remember Login → access to user’s hashed password