SEC-1445: Added support for custom username and password parameters in form-login.

config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java

@@ -29,6 +29,8 @@ public class FormLoginBeanDefinitionParser {
     private static final String ATT_FORM_LOGIN_TARGET_URL = "default-target-url";
     private static final String ATT_ALWAYS_USE_DEFAULT_TARGET_URL = "always-use-default-target";
     private static final String DEF_FORM_LOGIN_TARGET_URL = "/";
+    private static final String ATT_USERNAME_PARAMETER = "username-parameter";
+    private static final String ATT_PASSWORD_PARAMETER = "password-parameter";
 
     private static final String ATT_FORM_LOGIN_AUTHENTICATION_FAILURE_URL = "authentication-failure-url";
     private static final String DEF_FORM_LOGIN_AUTHENTICATION_FAILURE_URL =
@@ -63,6 +65,9 @@ public class FormLoginBeanDefinitionParser {
         String alwaysUseDefault = null;
         String successHandlerRef = null;
         String failureHandlerRef = null;
+        // Only available with form-login
+        String usernameParameter = null;
+        String passwordParameter = null;
 
         Object source = null;
 
@@ -83,10 +88,20 @@ public class FormLoginBeanDefinitionParser {
                 loginPage = null;
             }
             WebConfigUtils.validateHttpRedirect(loginPage, pc, source);
+            usernameParameter = elt.getAttribute(ATT_USERNAME_PARAMETER);
+            passwordParameter = elt.getAttribute(ATT_PASSWORD_PARAMETER);
         }
 
         filterBean = createFilterBean(loginUrl, defaultTargetUrl, alwaysUseDefault, loginPage, authenticationFailureUrl,
                 successHandlerRef, failureHandlerRef);
+
+        if (StringUtils.hasText(usernameParameter)) {
+            filterBean.getPropertyValues().addPropertyValue("usernameParameter", usernameParameter);
+        }
+        if (StringUtils.hasText(passwordParameter)) {
+            filterBean.getPropertyValues().addPropertyValue("passwordParameter", passwordParameter);
+        }
+
         filterBean.setSource(source);
 
         BeanDefinitionBuilder entryPointBuilder =

config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc

@@ -350,6 +350,12 @@ form-login =
 form-login.attlist &=
     ## The URL that the login form is posted to. If unspecified, it defaults to /j_spring_security_check.
     attribute login-processing-url {xsd:token}?
+form-login.attlist &=
+    ## The name of the request parameter which contains the username. Defaults to 'j_username'.
+    attribute username-parameter {xsd:token}?
+form-login.attlist &=
+    ## The name of the request parameter which contains the password. Defaults to 'j_password'. 
+    attribute password-parameter {xsd:token}?    
 form-login.attlist &=
     ## The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication. If unspecified, defaults to the root of the application.
     attribute default-target-url {xsd:token}?

config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd

@@ -870,6 +870,16 @@
         <xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to /j_spring_security_check.</xs:documentation>
       </xs:annotation>
     </xs:attribute>
+    <xs:attribute name="username-parameter" type="xs:token">
+      <xs:annotation>
+        <xs:documentation>The name of the request parameter which contains the username. Defaults to 'j_username'.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+    <xs:attribute name="password-parameter" type="xs:token">
+      <xs:annotation>
+        <xs:documentation>The name of the request parameter which contains the password. Defaults to 'j_password'. </xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
     <xs:attribute name="default-target-url" type="xs:token">
       <xs:annotation>
         <xs:documentation>The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication. If unspecified, defaults to the root of the application.</xs:documentation>