Multiple Login Pages using Spring Boot Security – user, admin login pages

In real-time applications, we needed to have different login pages to be accessed within the same application. One for the regular consumer and the other for the administrative functions. In this post, we’ll see how to create two login pages, one for regular users and the other for admin url.

In designing special purpose applications, a login page is required to authenticate users to access the application. We need another url within the framework that is only accessed by administrators for admin support and maintenance purposes. The admin url is not accessible to common people and can only be accessed by internal use.

Typically, the website is accessed with the default url, such as http:/localhost/, and the admin url will be like http:/localhost / admin. In the article, we will see how to build these two login pages using the spring boot security. Spring boot security is used in this example along with basic jsp sites.



Step 1 – pom.xml file

The first step is to create a simple spring boot application in the Spring Tool Suite. When creating, add the spring boot modules “spring-boot-starter-security,” “spring-boot-starter-web” The spring boot security module is designed to add security settings. The spring boot web module creates a web application that runs on tomcat.

The following xml shows the actual pom.xml file. Please note that tomcat dependence is also added along with this.

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.2.4.RELEASE</version>
		<relativePath /> <!-- lookup parent from repository -->
	</parent>
	<groupId>com.yawintutor</groupId>
	<artifactId>Spring-Application</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>SpringBootSecurityMultipleLogin</name>
	<description>Spring Boot Project</description>

	<properties>
		<java.version>1.8</java.version>
	</properties>

	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-test</artifactId>
			<scope>test</scope>
		</dependency>
		<dependency>
			<groupId>org.apache.tomcat.embed</groupId>
			<artifactId>tomcat-embed-jasper</artifactId>
			<scope>provided</scope>
		</dependency>
	</dependencies>

	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>

</project>


Step 2 – Add Admin Security Configuration file

Create an admin security configuration java file to extend the WebSecurityConfigurerAdapter class. If http:/localhost:8080/admin / url is called, this admin security configuration will validate the request. The url is configured as “/admin/**.” If an admin page is invoked, the login url “/admin / login” will be invoked for authentication. When you log in successfully, the admin page is redirected to “/admin/dashboard”.

The @order(1) annotation will inform the security of the spring boot to validate this java configuration class first.

src/main/java/com/yawintutor/SpringBootAdminSecurityConfiguration.java

package com.yawintutor;


import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@Order(1)
public class SpringBootAdminSecurityConfiguration extends WebSecurityConfigurerAdapter {
	
	@Override
	public void configure(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication()
			.withUser("admin").password("{noop}password").roles("ADMIN");
	}

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http
			.antMatcher("/admin/**")
			.authorizeRequests().anyRequest().authenticated()
			.and().formLogin().loginPage("/admin/login")
				.defaultSuccessUrl("/admin/dashboard", true)
			.permitAll()
			.and().logout().logoutUrl("/admin/logout").logoutSuccessUrl("/admin/login");
		http.csrf().disable();

	}
}	


Step 3 – Add User Security Configuration file

Create another Java security configuration file for the regular user of the application. The regular user will invoke the login page using the default “http:/localhost:8080/” url. The user login page “http:/localhost:8080/login” will be shown to the user if the user is not authenticated. After successful login, the user is redirected to the “http:/localhost:8080/dashboard” user dashboard page.

The admin user is not allowed to log in to the regular user login page, and vice versa.

The @Order(2) annotation tells the security of the spring boot to invoke this security configuration after the admin configuration.

src/main/java/com/yawintutor/SpringBootUserSecurityConfiguration.java

package com.yawintutor;


import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@Order(2)
public class SpringBootUserSecurityConfiguration extends WebSecurityConfigurerAdapter {
	
	@Override
	public void configure(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication()
			.withUser("user").password("{noop}password").roles("USER");
	}

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http
			.antMatcher("/**")
			.authorizeRequests().anyRequest().authenticated()
			.and().formLogin().loginPage("/login")
				.defaultSuccessUrl("/dashboard", true)
			.permitAll()
			.and().logout().logoutSuccessUrl("/login");
		
		http.csrf().disable();
	}
}


Step 4 – Add application.properties files for JSP configurations

Add jsp configurations to the application.properties file to invoke jsp files.

src/main/resources/application.properties

spring.mvc.view.prefix=/WEB-INF/jsp/
spring.mvc.view.suffix=.jsp


Step 5 – Add Controller class to invoke jsp files

To invoke jsp files, a controller class is created. The login page, dashboard page, and default page must be added for both user and admin access. Admin access will start with “/admin/.”

src/main/java/com/yawintutor/TestController.java

package com.yawintutor;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;

@Controller
@RequestMapping
public class TestController {

	@RequestMapping("/")
	public ModelAndView defaultHome() {
		return new ModelAndView("login");
	}

	@RequestMapping("/login")
	public ModelAndView login() {
		return new ModelAndView("login");
	}

	@RequestMapping("/dashboard")
	public ModelAndView userDashboard() {
		return new ModelAndView("dashboard");
	}

	@RequestMapping("/admin/")
	public ModelAndView admin() {
		return new ModelAndView("admin/login");
	}

	@RequestMapping("/admin/login")
	public ModelAndView adminlogin() {
		return new ModelAndView("admin/login");
	}

	@RequestMapping("/admin/dashboard")
	public ModelAndView admindashboard() {
		return new ModelAndView("admin/dashboard");
	}
}


Step 6 – Add Jsp Files

In order to render the page in the browser, the following jsp files need to be added. These simple jsp pages are designed to clearly understand the features. These pages are created using simple HTML codes.

src/main/webapp/WEB-INF/jsp/login.jsp

<center>
<h1>Welcome to Spring Boot Security</h1>

<form method="POST" action="/login">
	User Name : <input type="text" name="username" value="user"/><br><br>
	Password  : <input type="password" name="password" value="password"/><br><br>
	<input type="submit" name="submit"/>
</form>
</center>

src/main/webapp/WEB-INF/jsp/dashboard.jsp

<center>
<h1>Welcome to Spring Boot User DashBoard</h1>

<h2>You are in Spring Boot User DashBoard Page</h2>
<br><a href="/logout">logout</a>
</center>

src/main/webapp/WEB-INF/jsp/admin/login.jsp

<center>
<h1>Welcome to Admin Spring Boot Security</h1>

<form method="POST" action="/admin/login">
	User Name : <input type="text" name="username" value="admin"/><br><br>
	Password  : <input type="password" name="password" value="password"/><br><br>
	<input type="submit" name="submit"/>
</form>
</center>

src/main/webapp/WEB-INF/jsp/admin/dashboard.jsp

<center>
<h1>Welcome to Spring Boot Admin DashBoard</h1>

<h2>You are in Spring Boot Admin DashBoard Page</h2>
<br><a href="/admin/logout">logout</a>
</center>


Step 7 – Testing url

The images below images demonstrate how to test the application. The admin url will be accessed as “http://localhost:8080/admin/“. The regular user will use the url as “http://localhost:8080/



Related Articles

4 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *