Menu
I am working on a springMVC project in which the user authentication is based on spring security.
the idea is to have a mobile (android) application to be able to send some sort of data to backend.
So before get my hand dirty into android developing I decided to mock the situation of login form using cURL.
the login form in our site is as following :
http://localhost:8080/app/user/login
and I use following command :
curl -F 'username=admin&password=admin' http://localhost:8080/app/user/login
but yet I will get login page in other words I am not able to pass user authentication based on a mock up situation.
just to note : for every request the spring secure will create a randomize token something similar to :
8863F732ADDE24CD167F4EF502A4333D
how should I pass login form based on spring security using mock situation (either cURL or HTTPClient)
951
For example, if a website has protected content curl allows you to pass authentication credentials. To do so use the following syntax: curl --user "USERNAME:PASSWORD" https://www.domain.com . “USERNAME” must be replaced with your actual username in quotes.
Use cURL like this:
curl -d j_username=admin -d j_password=admin -L http://localhost:8080/app/j_spring_security_check If you get something like Expected CSRF token not found. Has your session expired? that means that CSRF token protection is enabled. To test it with cURL you need a cookie and a CSRF token itself.
The following command will write all cookies to a file named cookie and print out the CSRF token. Spring Security default token parameter name is _csrf, if you've changed it then you need to change grep csrf also.
curl --cookie-jar cookie -L http://localhost:8080/app/j_spring_security_check | grep csrf Then you can execute next command which will pass all cookies from file. Don't forget to replace |your_token_value| with an actual value which is printed out by the previous command (and _csrf parameter name if you've changed it).
curl --cookie cookie -d "j_username=admin&j_password=admin&_csrf=|your_token_value|" -L http://localhost:8080/app/j_spring_security_check Note that in Spring Security 4.x default value for login-processing-url changed from /j_spring_security_check to POST /login, default value for username-parameter changed from j_username to username and default value for password-parameter changed from j_password to password. If an application explicitly provides these attributes, no action is required for the migration.
194
You should configure spring to support basic authentication. Then add to your request the following header:
Authorization
base64(username:password)
That means that user name and password should be cocatenated into one string with : as separator and then transformed using BASE64 transformation.
36
Based on the most voted answer, I wrote the following script:
#!/usr/bin/env bash
curl --cookie-jar cookie -L http://localhost:PORT/secureDomain/secureURL
TOKEN=$( cat cookie | grep 'XSRF' | cut -f7 )
curl --cookie cookie -u admin:admin -d "_csrf=$TOKEN" -L http://localhost:PORT/secureDomain/secureURL
Works for Spring Security 4.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
