How to use Spring Security to custom login page?

Just want to pinpoint a few moments that were not clarified here.

  1. First of all, .loginPage("/login.html") won't do the trick (it didn't in my case anyway). What is in quotes here is an URL path that will be searched for in your controller. Here is the snippet from my security config file:

     .formLogin().loginPage("/login")
     .loginProcessingUrl("/authentication").permitAll();
    

Here I wrote "/login". So now in your controller define that the /login path should point to your login.html page.

    @GetMapping("/login")
    public String login() {
        return "login";
    }

Only then it should redirect to the required view page. I usually place view pages under the /webapp/WEB-INF/view folder.
P.S. I hope you configured your ViewResolver bean right, cos otherwise it won't work :)

  1. And one more thing. I see you wanna use some CSS for the page. To enable CSS and other static resources for your custom login page, you should add this line

.antMatchers("/resources/**").permitAll()

So, in the end it will be like that (very short and creepy version, but your custom login should work):

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/resources/**").permitAll()
            .anyRequest().authenticated()
            .and()

        .formLogin().loginPage("/login")
        .loginProcessingUrl("/authentication").permitAll();
}

FYI, place your resources under /webapp/resources/. Also, you should configure your resource handler in your spring configuration file.

Here is also a nice link to wrap your head around it:

https://docs.spring.io/spring-security/site/docs/current/guides/html5/form-javaconfig.html#grant-access-to-remaining-resources


See Spring Security Reference:

While the automatically generated log in page is convenient to get up and running quickly, most applications will want to provide their own log in page. To do so we can update our configuration as seen below:

protected void configure(HttpSecurity http) throws Exception {
  http
      .authorizeRequests()
          .anyRequest().authenticated()
          .and()
      .formLogin()
          .loginPage("/login") 1
          .permitAll();        2
}

1 The updated configuration specifies the location of the log in page.
2 We must grant all users (i.e. unauthenticated users) access to our log in page. The formLogin().permitAll() method allows granting access to all users for all URLs associated with form based log in.

Your modified code:

public void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .authorizeRequests()
            .antMatchers("/home*").hasRole("USER")
            .and()
        .formLogin()
            .loginPage("/login.html")
            .permitAll();
}