Can't login to my custom login page in spring boot security

Question

My problem is: when I try to login on my custom login page it redirects me to login page again (it doesn't matter if I put right or wrong credentials). It's also weird that I don't reach my custom UserDetailService in debug, I think it means that spring doesn't even check user's credentials.

I have custom login form /WEB-INF/jsp/login.jsp:

...    
<form name='loginForm' action="<c:url value='j_spring_security_check' />" method='POST'>

        <table>
            <tr>
                <td>User:</td>
                <td><input type='text' name='j_username' value=''></td>
            </tr>
            <tr>
                <td>Password:</td>
                <td><input type='password' name='j_password' /></td>
            </tr>
            <tr>
                <td colspan='2'><input name="submit" type="submit"
                                       value="submit" /></td>
            </tr>
        </table>

        <input type="hidden" name="${_csrf.parameterName}"
               value="${_csrf.token}" />

    </form>
...

This is configuration:

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests().antMatchers("/", "/welcome", "/resources/**").permitAll()
                .anyRequest().authenticated().and()
                .formLogin().loginPage("/login").failureUrl("/login?error").permitAll().and()
                .logout().logoutUrl("/login?logout").permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

And this is inside controller:

@RequestMapping(value = "/login", method = RequestMethod.GET)
public ModelAndView login(
        @RequestParam(value = "error", required = false) String error,
        @RequestParam(value = "logout", required = false) String logout) {

    ModelAndView model = new ModelAndView();
    if (error != null) {
        model.addObject("error", "Invalid username and password!");
    }

    if (logout != null) {
        model.addObject("msg", "You've been logged out successfully.");
    }
    model.setViewName("login");

    return model;

}

In src/main/resources/application.properties I have:

spring.view.prefix: /WEB-INF/jsp/
spring.view.suffix: .jsp

Answer 1

Those j_spring_security_check, j_username, j_password names are all old defaults (pre Spring Security 3.2).

The defaults now are: login, username and password.

Answer 2

I fixed a similar issue by disabling CSRF in the HttpSecurity configuration:

.csrf().disable() 

If you want to leave CSRF enabled, you must include the token in all forms

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

Detailed explanation: http://www.baeldung.com/spring-security-csrf