inMemoryAuthentication with Spring Boot

Question

I've generated a Spring Boot web application using Spring Initializer, embedded Tomcat, Thymeleaf template engine, and package as an executable JAR file.

Technologies used:

Spring Boot 1.4.2.RELEASE, Spring 4.3.4.RELEASE, Thymeleaf 2.1.5.RELEASE, Tomcat Embed 8.5.6, Maven 3, Java 8

This is my security config class:

@Configuration
@EnableWebSecurity
@PropertySource("classpath:/com/tdk/iot/config/app-${APP-KEY}.properties")
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${securityConfig.formLogin.loginPage}")
    private String loginPage;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
            .formLogin()
                .loginPage(loginPage)
                .permitAll()
                .loginProcessingUrl("/login")
                .failureUrl("/login.html?error=true")
                .defaultSuccessUrl("/books/list")
                .and()
            .exceptionHandling()
                .accessDeniedPage("/denied")
                .and()
            .authorizeRequests()
                .antMatchers("/mockup/**").permitAll()
                .antMatchers("/books/**").permitAll()
                .antMatchers("/welcome/**").authenticated()
                .and()
            .logout()
                .permitAll()
                .logoutSuccessUrl("/index.html");
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .passwordEncoder(new StandardPasswordEncoder())
                .withUser("test1").password("test1").roles("ADMIN").and()
                .withUser("test2").password("test2").roles("USER").and()
                .withUser("test3").password("test3").roles("SUPERADMIN");
    }

    @Bean
    public  static PropertySourcesPlaceholderConfigurer propertyDefaultConfig() {
        return new PropertySourcesPlaceholderConfigurer();
    }   
}

Here the LoginController

 @Controller
 public class LoginController {

     @RequestMapping(value={ "/", "/tdk/login"}, method = { RequestMethod.POST,RequestMethod.GET})
     public String welcome(Map<String, Object> model) {
         return "tdk/login";
     }
 }

and the template:

<!DOCTYPE HTML>
<html xmlns:th="http://www.thymeleaf.org">
<head>

<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>
<body>

<div class="wrap">
    <div class="login">
        <div class="logo"></div>

            <form th:action="@{/login.html}" method="post">

                <p th:if="${loginError}" class="error">Wrong user or password</p>

                <div class="input_label"><i class="fa fa-user"></i><input type="text" name="user" placeholder="User" /></div>
                <div class="input_label"><i class="fa fa-key"></i><input type="password" name="pass" placeholder="Password" /></div>
                <input type="submit" value="LOGIN" />
             </form>
        <div class="forget">
           <!--  <a href="#">Do you forgot your password?</a><br/> -->
            <br/>            
        </div>          
    </div>
</div>

</body>
</html>

but when I access with test1 / test1 I got this error:

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Sun Mar 05 20:16:11 CET 2017 There was an unexpected error (type=Method Not Allowed, status=405). Request method 'POST' not supported

Answer 1

Your login page calls /login.html with HTTP POST, but your server doesn't provide such a request mapping.

The configured URL in your Spring Security configuration:

.loginProcessingUrl("/login")

is not matching the URL in your login page:

<form th:action="@{/login.html}" method="post">

See also AbstractAuthenticationFilterConfigurer#loginProcessingUrl:

Specifies the URL to validate the credentials.