How to remove a filter from spring security?

Question

In Spring Security 4.0 there is so called Default Login Page which looks like the following:

Dug a bit into the source code I found the Filter org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter

which renders that login page. Actually, it has private String generateLoginPageHtml(HttpServletRequest request, boolean loginError, boolean logoutSuccess) method, which contains the following code snippet:

if (formLoginEnabled) {
    sb.append("<h3>Login with Username and Password</h3>");
    sb.append("<form name='f' action='").append(request.getContextPath()).append(authenticationUrl).append("' method='POST'>\n");
    sb.append(" <table>\n");
    sb.append("    <tr><td>User:</td><td><input type='text' name='");
    sb.append(usernameParameter).append("' value='").append("'></td></tr>\n");
    sb.append("    <tr><td>Password:</td><td><input type='password' name='").append(passwordParameter).append("'/></td></tr>\n");

    if (rememberMeParameter != null) {
        sb.append("    <tr><td><input type='checkbox' name='").append(rememberMeParameter).append("'/></td><td>Remember me on this computer.</td></tr>\n");
    }

    sb.append("    <tr><td colspan='2'><input name=\"submit\" type=\"submit\" value=\"Login\"/></td></tr>\n");
    renderHiddenInputs(sb, request);
    sb.append("  </table>\n");
    sb.append("</form>");
}

The issue is I want to remove that filter from the filter chain in order to customize my login page, located by the http://my-domain/login url. Is it possible?

My security-config:

<http auto-config="true">
    <intercept-url pattern="/admin**" 
                    access="hasRole('ROLE_USER')" />
    <form-login login-page="/login" 
                default-target-url="/admin" 
                authentication-failure-url="/login?error=true" 
                username-parameter="user"
                password-parameter="password" 
                login-processing-url="/login"/>
    <logout logout-success-url="/login?logout" logout-url="/logout" />
</http>

Answer 1

issue SEC-2919 covers this ticket, try to upgrade to 4.0.1

spring-issuemaster commented on Apr 28, 2015 Rick UPADHYAY (Migrated from SEC-2949) said:

i created a simple spring mvc project and added a custom login page. The custom login works fine with 3.2.7 but the same custom login does not work when i upgrade to 4.0.0.Release.

spring-issuemaster commented on Apr 28, 2015 Rob Winch said:

Can you elaborate on what you mean by "does not work"?

Did you try upgrading to 4.0.1 to ensure this isn't a duplicate of SEC-2919? Did you ensure to use the migration guides?

spring-issuemaster commented on Apr 28, 2015 Rick UPADHYAY said:

Thanks for quick response. upgrading to 4.0.1 has solved my issues. SEC-2919 was my issue. Sorry should have search for existing JIRA issues first.

Answer 2

I faced the same issue. I had to configure spring security with an xml and not with an annotated file. My solution was to replace

form-login login-page="/login

by

form-login login-page="/doLogin"

Answer 3

Why are you "digging into the source" rather than the documentation, it quite clearly covers this:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login");
}

The default login page is only generated if you have no login page set.

If you examine the source code of AbstractAuthenticationFilterConfigurer you will see:

protected T loginPage(String loginPage) {
    this.loginPage = loginPage;
    this.authenticationEntryPoint = new LoginUrlAuthenticationEntryPoint(loginPage);
    this.customLoginPage = true;
    return getSelf();
}

If you then look at the source code of FormLoginConfigurer:

private void initDefaultLoginFilter(H http) {
    DefaultLoginPageViewFilter loginPageGeneratingFilter = http.getSharedObject(DefaultLoginPageViewFilter.class);
    if(loginPageGeneratingFilter != null && !isCustomLoginPage()) {
        //stuff
    }
}

So you see, calling loginPage sets customLoginPage = true. This disables the DefaultLoginPageGeneratingFilter.

Answer 4

You can use following tags to configure it viz.

<sec:form-login login-page="/login.html" default-target-url="/home.html" always-use-default-target="true"/>

Similar way log out as well

<sec:logout logout-url="/logoutnow.html" logout-success-url="/logout.html"/>

Read documentation for further information.