Spring security opening a popup login

♀尐吖头ヾ 提交于 2019-12-05 00:17:49


Someone knows how to open a popup login to authenticate (using spring security) when the user does something that needs to be authenticated and he is not.

For example: Lets imagine the page has one button "buy now" that add the product to the cart and perform the checkout (buy now page), if the user is already authenticated, or, opens a popup for the user perform the authentication.

If the authentication is successful than the spring redirects to the "buy now" page or stays in that page with the popup opened (with an error message "wrong login").

I already searched in google for a kind of solution but without luck.

Someone can point me in the right direction?



Just an idea, haven't had time to test it. It's client-side only.

  1. Put an Eventlistener on the Link/Button-Click-Event
  2. Use Javascript and call the form-action or link via XMLHttpRequest
  3. Check the HTTP status code: xhr.status
  4. if (OK) replace the current url with the target url (via Html5 History API) and replace the entire document with xhr.responseText (What other options for replacing entire HTML document via W3C DOM)
  5. else if (Redirect) just follow the redirect
  6. else if (Unauthorized) open popup


Break down the task into components.

Create a light box that activates based on your critera.

Make your form submittable via ajax.

Your authentication controller needs to do the following:

if succesfull -> redirect to checkout page if un-succesfull return a fragment advising why its incorrect.

If return of incorrect you need to refresh your form element completely to ensure no csrf attacks.

Thats way i've done mine, can't give you code as it varies depending on how you have setup your project and view rendering.


You can maybe use http basic authentication, it at least will always open a popup when you need to be authenticated. http://www.baeldung.com/spring-security-basic-authentication


You can use ajax call when user hits on Buynow button to check whether the user is authenticated or not.

If the user is authenticated submit or forward the product cart form to next view (controller method).

If not authenticated you can open a popup for login.

In login form use ajax to validate user if success submit cart form to next view else give error message.

Store the cart information in the session so that you can use them in the next view.


Pop box implementation on some event has to be done you (you can use any frontend framework for this). Whereas authentication is concern, "project-security.xml" will do it for you. You should only configure it as per your requirement.


Actually Spring Security supports the redirect out of the box, take a look at SavedRequestAwareAuthenticationSuccessHandler, so the only thing you have to do is to secure the url(for e.g. you have something like <intercept-url pattern = "/purchase/*" access = "isAuthenticated()" /> (or if access = "hasRole('user') whatever you do there) of your purchase button(which does request like "/purchase/"productIdHere" or /purchase?productId=someProductId), which will then redirect user to login page and after successful login he should be back to his original page. And in your controller you can handle the request like:


@RequestMapping(value = "/purchase..., method = ....)
public ModelAndView purchase(@PathVariable("productId") String/Long productId (or @RequestParam etc...)
Product someProduct = someService.getByProductId(productId);
ModelAndView mav = new ModelAndView("view.name");
return mav;

You have to match other things per your needs, just trying to point the right direction as you asked.

Hope it helps.


You can use a CSS HTML login form (just search the web for it) with Ajax authentication or use the Spring Http Basic Auth popup. Every page should check if the user is authenticated or not (showing the popup).

Check these two articles showing how you can implement both solutions:

Adding Http Basic Auth to RESTful Services in Java and Spring

Spring security Ajax login


Spring security works over Spring MVC - it uses redirects. So the idea is when a user tries to reach a "secured" content, and he has not been authenticated, then HTTP 302 is return and redirect to the login page. If you are interested in pop-up window, you break the MVC model, and it can be implemented of course, but your life will be much harder ....