Spring Boot Login/Logout (Spring Security + MySql + Thymeleaf)
- 4.3/5
- 6238
- Jul 20, 2024
Updated for: Spring Boot 3
This article is going to discuss how to implement "login/logout" and "authentication/authorization" in a "Spring Boot 3" application.
To demonstrate the functionality, a new "Spring Boot" application is created with the help of spring initializr.
In order to save/get user details (name, email or username, roles) the application is using the "MySql" database. The application also uses thymeleaf as a server-side template engine.
The idea is to create a custom "registration" and "login" flow based on "thymeleaf (html)" forms.
Prerequisite
This application requires an existing database in MySql; this can be achieved with the help of the below-mentioned query:
CREATE SCHEMA `spring-security-form-login` ;
Dependencies
pom.xml
The "spring-boot-starter-security" combines Spring Security dependencies, and the "spring-boot-starter-web" enables "Tomcat" as a default embedded server.
Like wise, "spring-boot-starter-data-jpa" provides the "data-jpa" dependency to efficiently connect Spring applications with relational databases.
In total, the application requires the below-mentioned dependencies:
Configuration
src/main/java/com/cb/conf/SpringSecurity.java
The "SecurityFilterChain" defines a filter chain that is capable of being matched against an HttpServletRequest.
As mentioned in the configuration below, the urls matching with "/user/**" are accessible by users having either the "USER" or "ADMIN" role, whereas the urls matching with "/admin/**" are only accessible by users having the "ADMIN" role.
On the other hand, urls beginning with "/registration/**" and "/login/**" are accessible by both authenticated and non-authenticated users, or accessible by all.
Model
src/main/java/com/cb/model/User.java
The "User" and "Role" are plain old models representing a Spring Security user and associated role in the application and database.>
src/main/java/com/cb/model/Role.java
The "Role" class has a list of users, which means a user can have multiple roles, and a role can be associated with a number of users.
DTO
src/main/java/com/cb/dto/UserDto.java
The "UserDto" class is a helper class to be used in "Html form to Controller communication" when a new user is registered in the system.
Repository
src/main/java/com/cb/repository/UserRepository.java
The "UserRepository" and "RoleRepository" are using Spring Data JPA to significantly improve the implementation of data access layers by reducing the effort to the amount that's actually needed.
src/main/java/com/cb/repository/RoleRepository.java
The "findByName" method gets the "Role" object for the associated "role" name.
Service
src/main/java/com/cb/service/UserService.java
"UserService.java" and "UserServiceImpl.java" represent an intermediate service layer between data/repository and controller.
src/main/java/com/cb/service/UserServiceImpl.java
The "saveUser()" method converts "UserDto" to "User" and saves it in the database (MySql).
src/main/java/com/cb/service/CustomUserDetailsService.java
This "CustomUserDetailsService" is a custom implementation of "UserDetailsService" and is used by Spring to get user details from the database during a login flow.
Controller
src/main/java/com/cb/controller/LoginController.java
This "LoginController" hosts "request-mappings" for "Login" and "Registration" related UI (HTML + Thymeleaf).
src/main/java/com/cb/controller/UserController.java
This "UserController" hosts a single "request-mappings" for "user-details" related UI (HTML + Thymeleaf).
Constants
src/main/java/com/cb/util/TbConstants.java
The "TbConstants.java" maintains constants used throughout the application; this helps make the application code more maintainable.
Application
src/main/java/com/cb/Application.java
This is the simple "spring boot" "main" class; all the application execution starts from here.
The only interesting thing to note is the exclusion of "SecurityAutoConfiguration.class" and "Management- WebSecurityAutoConfiguration.class". This is required to disable security auto-configuration so that we can have our own settings, like a custom login form.
HTML
src/main/resources/templates/registration.html
The "registration.html" is a simple ".html" file with "thymeleaf" template capabilities. This page contains a server-side validation-enabled "registration" form.
src/main/resources/templates/login.html
By default spring security accepts login request at "/login" and credentials in the form of "username" and "password".
src/main/resources/templates/user.html
The "thymeleaf" template engine enables us to use "sec:authentication" tags to display security-related information in HTML.
src/main/resources/application.yml
This "application.yml" file contains "db credentials," "hibernate" settings, and "thread-pool" configurations.
Testing
1) Registration
Let's run the application and start testing the functionality by registering a new user at : http://localhost:8080/registration.
2) Login
Now that a new user has been successfully registered, we can use the credentials to login at: http://localhost:8080/login.
3) Details
The user is now "logged-in" to the system with "role_user" and hence URLs accessible by "role_user" can be viewed: http://localhost:8080/user/.
3) Logout
In order to log-out from the system, we can send a get call to "http://localhost:8080/logout" i.e. click on: http://localhost:8080/logout.
Source code: GitHub