I am working on a springMVC project in which the user authentication is based on spring security.
the idea is to have a mobile (android) application to be able to send some sort of data to backend.
So before get my hand dirty into android developing I decided to mock the situation of login form using cURL.
the login form in our site is as following :
http://localhost:8080/app/user/login
and I use following command :
curl -F 'username=admin&password=admin' http://localhost:8080/app/user/login
but yet I will get login page in other words I am not able to pass user authentication based on a mock up situation.
just to note : for every request the spring secure will create a randomize token something similar to :
8863F732ADDE24CD167F4EF502A4333D
how should I pass login form based on spring security using mock situation (either cURL
or HTTPClient
)
For example, if a website has protected content curl allows you to pass authentication credentials. To do so use the following syntax: curl --user "USERNAME:PASSWORD" https://www.domain.com . “USERNAME” must be replaced with your actual username in quotes.
Use cURL
like this:
curl -d j_username=admin -d j_password=admin -L http://localhost:8080/app/j_spring_security_check
If you get something like Expected CSRF token not found. Has your session expired?
that means that CSRF token protection is enabled. To test it with cURL you need a cookie and a CSRF token itself.
The following command will write all cookies to a file named cookie
and print out the CSRF token. Spring Security default token parameter name is _csrf
, if you've changed it then you need to change grep csrf
also.
curl --cookie-jar cookie -L http://localhost:8080/app/j_spring_security_check | grep csrf
Then you can execute next command which will pass all cookies from file. Don't forget to replace |your_token_value|
with an actual value which is printed out by the previous command (and _csrf
parameter name if you've changed it).
curl --cookie cookie -d "j_username=admin&j_password=admin&_csrf=|your_token_value|" -L http://localhost:8080/app/j_spring_security_check
Note that in Spring Security 4.x default value for login-processing-url
changed from /j_spring_security_check
to POST /login
, default value for username-parameter
changed from j_username
to username
and default value for password-parameter
changed from j_password
to password
. If an application explicitly provides these attributes, no action is required for the migration.
You should configure spring to support basic authentication. Then add to your request the following header:
Authorization
base64(username:password)
That means that user name and password should be cocatenated into one string with :
as separator and then transformed using BASE64
transformation.
Based on the most voted answer, I wrote the following script:
#!/usr/bin/env bash
curl --cookie-jar cookie -L http://localhost:PORT/secureDomain/secureURL
TOKEN=$( cat cookie | grep 'XSRF' | cut -f7 )
curl --cookie cookie -u admin:admin -d "_csrf=$TOKEN" -L http://localhost:PORT/secureDomain/secureURL
Works for Spring Security 4.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With