Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security 3 - always return error 302

Tags:

java

spring-mvc

spring

spring-security

I use Spring 4 to create a simple application. Recently, I'm adding Spring Security 3 to the project but always get the Error Code 302 ( so it redirect to home page always ).

Here is my SecurityConfig:

@Configuration
@EnableWebMvcSecurity
@ComponentScan(basePackages = { "com.moon.repository" })
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication().withUser("hello").password("world").roles("USER");
}

@Override
public void configure(WebSecurity web) throws Exception {
    web
    .ignoring().antMatchers("/resources/**", "/views/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
            .antMatchers("/","/home").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .loginPage("/home")
            .loginProcessingUrl("/acct/signin")
            .and()
            .logout()
            .permitAll();
}

}

I have a Controller called AccountController:

@Controller
@RequestMapping(value = "/acct")
public class AccountController {

private final Logger logger = LoggerFactory.getLogger(AccountController.class);

@RequestMapping(value = "/signin", method = RequestMethod.POST)
public String signin(@RequestParam("username") String username,
        @RequestParam("password") String password) {

    logger.info("======== [username:{0}][password:{1}] ========", username, password);

    if ("[email protected]".equalsIgnoreCase(username)) {
        return "error";
    } else {
        return "demo";
    }
}

}

My WEB-INF structure:

WEB-INF
----views
--------home.jsp
--------demo.jsp
--------error.jsp

The flow is like:

  1. User access the web site with http://mylocal:8080/moon => it shows home.jsp
  2. User press the button SignIn and it pops a sub-window asked for username and password => still in home.jsp
  3. User press Submit button => I assume it will go /acct/signin and return to /demo, but I see Error 302 in Google Chrome and then it goes to /home again

Any ideas ? I'm stuck in 2 full days and now i'm almost in despair...

thank you very much every one to take a look at my problem

=================================== 1st Update ===================================

Update: The form in home.jsp

<form:form role="form" method="POST" action="acct/signin"
class="form-signin">
<div class="row">
    <div class="col-lg-5">
        <input name="username" size="20" type="email"
            class="form-control" placeholder="Email address" required
            autofocus> 
            <input name="password" type="password"
                    class="form-control" placeholder="Password" required>
                <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
    </div>
</div>
</form:form>

=================================== 2nd Update ===================================

I tried to implement UserDetailsService(not to use in-memory auth) but still... the same problem - Error 302

AppUserDetailsServiceImpl.java

@Component
public class AppUserDetailsServiceImpl implements UserDetailsService {

    private final Logger logger = LoggerFactory.getLogger(AppUserDetailsServiceImpl.class);

    @Override
    public UserDetails loadUserByUsername(final String username) throws UsernameNotFoundException {

        logger.info("loadUserByUsername username=" + username);
        logger.info("======== {} ========",SecurityContextHolder.getContext().getAuthentication());

        if (!username.equals("hello")) {
            throw new UsernameNotFoundException(username + " not found");
        }

        // creating dummy user details
        return new UserDetails() {

            private static final long serialVersionUID = 2059202961588104658L;

            @Override
            public boolean isEnabled() {
                return true;
            }

            @Override
            public boolean isCredentialsNonExpired() {
                return true;
            }

            @Override
            public boolean isAccountNonLocked() {
                return true;
            }

            @Override
            public boolean isAccountNonExpired() {
                return true;
            }

            @Override
            public String getUsername() {
                return username;
            }

            @Override
            public String getPassword() {
                return "world";
            }

            @Override
            public Collection<? extends GrantedAuthority> getAuthorities() {
                List<SimpleGrantedAuthority> auths = new java.util.ArrayList<SimpleGrantedAuthority>();
                auths.add(new SimpleGrantedAuthority("USER"));
                return auths;
            }
        };
    }

The log shows:

[14/08/19 15:16:32:200][INFO ][com.moon.repository.AppUserDetailsServiceImpl][loadUserByUsername](24) loadUserByUsername username=hello
[14/08/19 15:16:32:200][INFO ][com.moon.repository.AppUserDetailsServiceImpl][loadUserByUsername](25) ======== org.springframework.security.authentication.UsernamePasswordAuthenticationToken@f1e4f742: Principal: com.moon.repository.AppUserDetailsServiceImpl$1@e3dc1b1; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@12afc: RemoteIpAddress: 127.0.0.1; SessionId: 023BC9A8B997ECBD826DD7C33AF55FC7; Granted Authorities: USER ========
like image 309
chialin.lin Avatar asked Aug 18 '14 06:08

chialin.lin

People also ask

What is the default login error for springspring security?

Spring security by default will show login error in case customer provides invalid username or password. Spring security internally uses the Spring framework resource bundle feature to show customize error messages to the customer.

What is a 302 error in http?

The specification document of RFC for HTTP 1.0 states that the aim of a “302 Found” response code is intended to indicate that the client should execute a temporary redirect. However, many new browsers will process the code 302 received through the POST request as invalid GET request.

How to check server response code 301 or 302?

There is another option – to apply for checking the server response code to online services, for example, http://example. com/e_redirect/. If you set up a redirect correctly, after entering the domain name, you will see the response code 301 or 302. It depends on what kind of redirection you planned to receive initially.

How do I set up Spring Security for a web application?

This can be achieved either through the Spring Security configuration or web application configuration in the web.xml file. In the remaining sections, we will take a more in-depth look at each of these options.

2 Answers

To avoid having to create a new trivial SuccessHandler, override the successfulAuthentication method in your filter and just call the chain.doFilter() method after having set the Authentication object in the security context.

like image 183
Dani Avatar answered Sep 23 '22 01:09

Dani

For me I came from a little different use-case but 'suddenly' had the same problem before it perfectly worked.
My Setup Spring with a ExtJs frontend where I now build in a rest interface.
It all worked super nice and then suddenly I started having http status 302 responses (WTH?)

Since I implemented by code by following this example: https://octoperf.com/blog/2018/03/08/securing-rest-api-spring-security/
there is a declaration of a SimpleUrlAuthenticationSuccessHandler.
See 4.4 SecurityConfig where the TokenAuthenticationFilter is constructed with a class NoRedirectStrategy; see 4.1 Redirect Strategy

In turn not having this NoRedirectStrategy set up in my extension of the AbstractAuthenticationProcessingFilter it would show me http 302 responses.

like image 21
Dirk Schumacher Avatar answered Sep 27 '22 01:09

Dirk Schumacher
Sign in to Comment

Related questions

Will I be able to use Clojure functions as Lambdas in Java 8?
Java - Is there a method for Euclidean or floored modulo
ActionBar BUG: List mode navigation not visible after using SearchView
JAXB: how to unmarshal a List of objects of different types but with common parent?
Hibernate shows question marks in SQL query [duplicate]
Reflection getAnnotations() returns null
Finding the intersection of two 3D polygons
TableCellRenderer and how to refresh Cell background without using JTable.repaint()
JNI Android - Converting char* to byte array and return it to java
Why am I receiving a java.net.SocketException: Connection reset error from web service through SOAP UI and Java client?
Different output encryption both CryptoJS and Java Code
What is the purpose of asynchronous JAX-RS
How to find classloader leak with free tools?
Odd Java StackOverflowError?
Convert PDF to HTML file Java API
Java 8 reference to a static method vs. instance method
left join with spring data jpa and querydsl
"Step" or "Job" Scope for Spring-Batch beans?
Make Maven child poms have same version number as parent? [duplicate]
How to sort a collection of points so that they set up one after another?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!