Set default protected welcome page in Spring MVC project

Question

I have a Spring MVC project and I would like to set a welcome home page that is protected by a login. The result of my configuration is that normally if I ask a URL like:

http://localhost:8080/angularjava/app/homepage.html

the server present me a login page correctly. If I ask instead this URL:

http;//localhost:8080/angularjava

I see the page homepage.html (with erroneus links to css etc) and no login page is presented.

This is my web.xml file:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                         http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
     version="3.0"
     metadata-complete="true">
  <display-name>AngularJS-Java8-SpringMVC-MongoDB</display-name>
  <welcome-file-list>
    <welcome-file>/app/homepage.html</welcome-file>  
  </welcome-file-list>

<servlet>
    <servlet-name>springmvc</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>springmvc</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<security-constraint>
   <web-resource-collection>
       <web-resource-name>Pagine applicazione</web-resource-name>
       <url-pattern>/app/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>  
   </web-resource-collection>
   <auth-constraint>
       <role-name>*</role-name>         
   </auth-constraint>
   <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
   </user-data-constraint>
   </security-constraint>

   <login-config>
   <auth-method>FORM</auth-method>
   <form-login-config>
       <form-login-page>/public/login.html</form-login-page>
       <form-error-page>/public/error.html</form-error-page>
   </form-login-config>
   </login-config>

   <security-role>
       <role-name>*</role-name>
   </security-role>
</web-app>

And this is my springmvc-servlet.xml :

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:mongo="http://www.springframework.org/schema/data/mongo"
xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/data/mongo 
        http://www.springframework.org/schema/data/mongo/spring-mongo.xsd
        http://www.springframework.org/schema/mvc 
        http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/tx 
        http://www.springframework.org/schema/tx/spring-tx.xsd">

<context:annotation-config />

<tx:annotation-driven />
<mvc:annotation-driven />
<context:property-placeholder location="classpath:mongodb.properties" />
<mongo:repositories base-package="sa.angularjava.repository"></mongo:repositories>
<!--Component scanning with <context:component-scan base-package="com.rocketAlan" 
    /> is telling spring that it should search the class path for all the classes 
    under "sa.angularjava" and look at each class to see if it has a @Controller, 
    or @Repository, or @Service, or @Component and if it does then Spring will 
    register the class with the bean factory as if you had typed <bean class="..." 
    /> in the xml configuration files. -->
<!-- Specify base package of the components DAO, Controller, etc -->
<context:component-scan base-package="sa.angularjava.config" />
<context:component-scan base-package="sa.angularjava.controller" />
<context:component-scan base-package="sa.angularjava.dao" />
<context:component-scan base-package="sa.angularjava.rest" />
<context:component-scan base-package="sa.angularjava.service" />

<bean id="viewResolver"
    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="viewClass"
        value="org.springframework.web.servlet.view.JstlView" />
    <property name="prefix" value="/jsp/" />
    <property name="suffix" value=".jsp" />
</bean>

<!-- Maps static resources like images, css, javascript files -->
<mvc:resources mapping="/app/**" location="/app/" />
<mvc:resources mapping="/public/**" location="/public/" />

<!-- Setting the connection with MONGODB -->

<context:property-placeholder location="classpath:mongodb.properties"/>

<mongo:mongo-client host="${mongo.host}" port="${mongo.port}" credentials="root:example@admin">

</mongo:mongo-client>
<mongo:db-factory dbname="Auth" mongo-ref="mongoClient"/>

<bean id="mongoTemplate" class="org.springframework.data.mongodb.core.MongoTemplate">
  <constructor-arg name="mongoDbFactory" ref="mongoDbFactory"/>
</bean>

<bean class="org.springframework.dao.annotation.PersistenceExceptionTranslationPostProcessor"/>

</beans>

Answer 1

If you want only authenticated users it's best to have class which extends WebSecurityConfigurerAdapter and override protected void configure(HttpSecurity http) to say which paths to be accessed only from a logged user:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable().authorizeRequests()
            .antMatchers(SIGN_UP_URL, "/login", "/getAll").permitAll()
            .anyRequest().authenticated()
            .and()
            .addFilter(new JWTAuthenticationFilter(authenticationManager()))
            .addFilter(new JWTAuthorizationFilter(authenticationManager()))
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}