The controller class will handle all URLs with the prefix security, while the method loginFail() will
handle the login fail scenario. In the method, we store the login fail message in the Model and then
redirect to the home page. Now reload the page and enter the wrong user information; the home page
will be displayed again with the login fail message, as shown in Figure 17-25.
Figure 17-25. Fail login handling
Using Annotations to Secure Controller Methods
Hiding the new contact link in the menu is not enough. For example, if you enter the URL in the browser
directly (http://localhost:8080/ch17/contacts?form), you can still see the add contact page, even
though you are not logged in yet. The reason is that we haven't protected the application at the URL
level. One method for protecting the page is to configure the Spring Security filter chain (in the file
security-context.xml) to intercept the URL for only authenticated users. However, doing this will block
all other users from seeing the contact list view.
An alternative for solving the problem is to apply security at the controller method level, using
Spring Security's annotation support.
To enable method-level security, we need to modify the DispatcherServlet configuration (servlet-
context.xml), as shown in Listing 17-63.
Listing 17-63. Enable Method-Level Security
<?xml version="1.0" encoding="UTF-8"?>
Search WWH :
