HTTP Form Authentication involves using the UsernamePasswordAuthenticationProcessingFilter to process a login form. This is the most common way for an application to authenticate end users. Form-based authentication is entirely compatible with the DAO, LDAP and JAAS authentication providers. This is also the mechanism used by the <form-login> element from the namespace and it's recommended that you use that unless you have specific customization requirements.

The login form simply contains j_username and j_password input fields, and posts to a URL that is monitored by the filter (by default /j_spring_security_check). You should add an UsernamePasswordAuthenticationProcessingFilter to your application context: ]]> The configured AuthenticationManager processes each authentication request. The destination following a successful authentication or an authentication failure is controlled by the AuthenticationSuccessHandler and AuthenticationFailureHandler interfaces, respectively. The filter has properties which allow you to set these In versions prior to 3.0, the application flow at this point had evolved to a stage was controlled by a mix of properties on this class and strategy plugins. The decision was made for 3.0 to refactor the code to make these two strategies entirely responsible. . Some standard implementations are supplied for these such as SimpleUrlAuthenticationSuccessHandler, SavedRequestAwareAuthenticationSuccessHandler, SimpleUrlAuthenticationFailureHandler and ExceptionMappingAuthenticationFailureHandler. Have a look at the Javadoc for these classes to see how they work. If authentication is successful, the resulting Authentication object will be placed into the SecurityContextHolder. The configured AuthenticationSuccessHandler will then be called to either redirect or forward the user to the approprate destination. By default a SavedRequestAwareAuthenticationSuccessHandler is used, which means that the user will be redirected to the original destination they requested before they were asked to login. The ExceptionTranslationFilter caches the original request a user makes. When the user authenticates, the request handler makes use of this cached request to obtain the original URL and redirect to it. The original request is then rebuilt and used as an alternative. If authentication fails, the configured AuthenticationFailureHandler will be invoked.