From 165cbb0d1912391cb261871a03cbe4dd9f8d147e Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Fri, 30 Apr 2010 18:14:50 +0100
Subject: [PATCH] SEC-1445: Added support for custom username and password
 parameters in form-login.

---
 .../http/FormLoginBeanDefinitionParser.java       | 15 +++++++++++++++
 .../security/config/spring-security-3.1.rnc       |  6 ++++++
 .../security/config/spring-security-3.1.xsd       | 10 ++++++++++
 3 files changed, 31 insertions(+)

diff --git a/config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java
index 380e5c772a..e202253c48 100644
--- a/config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java
@@ -29,6 +29,8 @@ public class FormLoginBeanDefinitionParser {
     private static final String ATT_FORM_LOGIN_TARGET_URL = "default-target-url";
     private static final String ATT_ALWAYS_USE_DEFAULT_TARGET_URL = "always-use-default-target";
     private static final String DEF_FORM_LOGIN_TARGET_URL = "/";
+    private static final String ATT_USERNAME_PARAMETER = "username-parameter";
+    private static final String ATT_PASSWORD_PARAMETER = "password-parameter";
 
     private static final String ATT_FORM_LOGIN_AUTHENTICATION_FAILURE_URL = "authentication-failure-url";
     private static final String DEF_FORM_LOGIN_AUTHENTICATION_FAILURE_URL =
@@ -63,6 +65,9 @@ public class FormLoginBeanDefinitionParser {
         String alwaysUseDefault = null;
         String successHandlerRef = null;
         String failureHandlerRef = null;
+        // Only available with form-login
+        String usernameParameter = null;
+        String passwordParameter = null;
 
         Object source = null;
 
@@ -83,10 +88,20 @@ public class FormLoginBeanDefinitionParser {
                 loginPage = null;
             }
             WebConfigUtils.validateHttpRedirect(loginPage, pc, source);
+            usernameParameter = elt.getAttribute(ATT_USERNAME_PARAMETER);
+            passwordParameter = elt.getAttribute(ATT_PASSWORD_PARAMETER);
         }
 
         filterBean = createFilterBean(loginUrl, defaultTargetUrl, alwaysUseDefault, loginPage, authenticationFailureUrl,
                 successHandlerRef, failureHandlerRef);
+
+        if (StringUtils.hasText(usernameParameter)) {
+            filterBean.getPropertyValues().addPropertyValue("usernameParameter", usernameParameter);
+        }
+        if (StringUtils.hasText(passwordParameter)) {
+            filterBean.getPropertyValues().addPropertyValue("passwordParameter", passwordParameter);
+        }
+
         filterBean.setSource(source);
 
         BeanDefinitionBuilder entryPointBuilder =
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
index c2cfbca62a..98769e6ac1 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
@@ -350,6 +350,12 @@ form-login =
 form-login.attlist &=
     ## The URL that the login form is posted to. If unspecified, it defaults to /j_spring_security_check.
     attribute login-processing-url {xsd:token}?
+form-login.attlist &=
+    ## The name of the request parameter which contains the username. Defaults to 'j_username'.
+    attribute username-parameter {xsd:token}?
+form-login.attlist &=
+    ## The name of the request parameter which contains the password. Defaults to 'j_password'. 
+    attribute password-parameter {xsd:token}?    
 form-login.attlist &=
     ## The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication. If unspecified, defaults to the root of the application.
     attribute default-target-url {xsd:token}?
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
index 4dcb190721..bda5964874 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
@@ -870,6 +870,16 @@
         <xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to /j_spring_security_check.</xs:documentation>
       </xs:annotation>
     </xs:attribute>
+    <xs:attribute name="username-parameter" type="xs:token">
+      <xs:annotation>
+        <xs:documentation>The name of the request parameter which contains the username. Defaults to 'j_username'.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+    <xs:attribute name="password-parameter" type="xs:token">
+      <xs:annotation>
+        <xs:documentation>The name of the request parameter which contains the password. Defaults to 'j_password'. </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
     <xs:attribute name="default-target-url" type="xs:token">
       <xs:annotation>
         <xs:documentation>The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication. If unspecified, defaults to the root of the application.</xs:documentation>