Skip to content

How to login to a spring security login form using cURL?

I am working on a springMVC project in which the user authentication is based on spring security.

the idea is to have a mobile (android) application to be able to send some sort of data to backend.

So before get my hand dirty into android developing I decided to mock the situation of login form using cURL.

the login form in our site is as following :


and I use following command :

curl -F 'username=admin&password=admin' http://localhost:8080/app/user/login

but yet I will get login page in other words I am not able to pass user authentication based on a mock up situation.

just to note : for every request the spring secure will create a randomize token something similar to :


how should I pass login form based on spring security using mock situation (either cURL or HTTPClient)



Use cURL like this:

 curl -d j_username=admin -d j_password=admin -L http://localhost:8080/app/j_spring_security_check


If you get something like Expected CSRF token not found. Has your session expired? that means that CSRF token protection is enabled. To test it with cURL you need a cookie and a CSRF token itself.

The following command will write all cookies to a file named cookie and print out the CSRF token. Spring Security default token parameter name is _csrf, if you’ve changed it then you need to change grep csrf also.

curl --cookie-jar cookie -L http://localhost:8080/app/j_spring_security_check  | grep csrf

Then you can execute next command which will pass all cookies from file. Don’t forget to replace |your_token_value| with an actual value which is printed out by the previous command (and _csrf parameter name if you’ve changed it).

curl --cookie cookie -d "j_username=admin&j_password=admin&_csrf=|your_token_value|" -L http://localhost:8080/app/j_spring_security_check

From Spring Security 3.x to 4.x

Note that in Spring Security 4.x default value for login-processing-url changed from /j_spring_security_check to POST /login, default value for username-parameter changed from j_username to username and default value for password-parameter changed from j_password to password. If an application explicitly provides these attributes, no action is required for the migration.

User contributions licensed under: CC BY-SA
6 People found this is helpful