Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring security 4 custom login j_spring_security_check return http 302

Tags:

spring-mvc

spring

spring-security

I asked a question about latest spring framework, code based configuration here

initializer

public class AppInitializer extends
        AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class[] { SecurityConfig.class };
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return new Class[] { MvcConfig.class };
    }

    @Override
    protected String[] getServletMappings() {
        return new String[] { "/" };
    }
}

mvc config

    @EnableWebMvc
    @ComponentScan({ "com.appname.controller" })
    public class MvcConfig extends WebMvcConfigurerAdapter {
        @Bean
        public InternalResourceViewResolver viewResolver() {
            InternalResourceViewResolver resolver = new InternalResourceViewResolver();
            resolver.setPrefix("/WEB-INF/jsp/");
            resolver.setSuffix(".jsp");
            return resolver;
        }

@Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry.addResourceHandler("/res/**").addResourceLocations("/res/");
    }
    }

security config

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private CustomUserDetailsService customUserDetailsService;

public SecurityConfig() {
    customUserDetailsService = new CustomUserDetailsService();
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
        throws Exception {
    auth.inMemoryAuthentication().withUser("user").password("password")
            .roles("USER");
    auth.userDetailsService(customUserDetailsService);
}

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/res/**").permitAll()
            .and().authorizeRequests()
            .anyRequest().hasRole("USER")
            .and().formLogin().loginPage("/account/signin").permitAll()
            .and().logout().permitAll();
    }
}

security initializer

public class SecurityInitializer extends
        AbstractSecurityWebApplicationInitializer {

}

custom login

public class CustomUserDetailsService implements UserDetailsService {

    private AccountRepository accountRepository;

    public CustomUserDetailsService() {
        this.accountRepository = new AccountRepository();
    }

    @Override
    public UserDetails loadUserByUsername(String email)
            throws UsernameNotFoundException {

        Account account = accountRepository.getAccountByEmail(email);

        if (account == null) {
            throw new UsernameNotFoundException("Invalid email/password.");
        }

        Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
        authorities.add(new SimpleGrantedAuthority("USER"));

        return new User(account.getEmail(), account.getPassword(), authorities);
    }
}

However, now I have new issue about custom login.

when post to j_spring_security_check, I will receive http 302.

I'm requesting /, but after sign in, it stays on the sign in page.

Because I'm using spring security 4.x version, and purely code based configuration, so I can't find more reference on internet. Can anyone help to figure out why.

EDIT

org.springframework.beans.factory.BeanCreationException: 
Error creating bean with name 'securityConfig': 
Injection of autowired dependencies failed; 
nested exception is org.springframework.beans.factory.BeanCreationException:
Could not autowire field: 
private org.springframework.security.core.userdetails.UserDetailsService sg.mathschool.infra.SecurityConfig.userDetailsService; 
nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: 
No qualifying bean of type [org.springframework.security.core.userdetails.UserDetailsService] found for dependency: 
expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations:
{@org.springframework.beans.factory.annotation.Autowired(required=true), @org.springframework.beans.factory.annotation.Qualifier(value=userDetailsService)}

I changed CustomUserDetailsService

@Service("userDetailsService")
public class CustomUserDetailsService implements UserDetailsService {

    private AccountRepository accountRepository;

    public CustomUserDetailsService() {
        this.accountRepository = new AccountRepository();
    }

    @Override
    @Transactional(readOnly = true)
    public UserDetails loadUserByUsername(String email)
            throws UsernameNotFoundException {

        Account account = accountRepository.getAccountByEmail(email);

        if (account == null) {
            throw new UsernameNotFoundException("Invalid email/password.");
        }

        Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
        authorities.add(new SimpleGrantedAuthority("USER"));

        return new User(account.getEmail(), account.getPassword(), authorities);
    }
}

and security config

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("userDetailsService")
    private UserDetailsService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password")
                .roles("USER");
        auth.userDetailsService(userDetailsService).passwordEncoder(
                passwordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/res/**").permitAll()
                .antMatchers("/account/**").permitAll().anyRequest()
                .hasRole("USER").and().formLogin().loginPage("/account/signin")
                .failureUrl("/account/signin?error").usernameParameter("email")
                .passwordParameter("password").and().logout()
                .logoutSuccessUrl("/account/signin?logout").and().csrf();

    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        PasswordEncoder encoder = new BCryptPasswordEncoder();
        return encoder;
    }
}
like image 493
Timeless Avatar asked Apr 10 '15 06:04

Timeless

People also ask

What is the login-processing-URL for J_Spring_Security_check?

if you're using spring security 4.x, the login-processing-url (/j_spring_security_check) shoud be /login – Rached Anis Jul 9 '16 at 2:07

What happens if we don't specify Spring Security's login URL?

If we don't specify this, Spring Security will generate a very basic Login Form at the /login URL. 8.2. The POST URL for Login The default URL where the Spring Login will POST to trigger the authentication process is /login, which used to be /j_spring_security_check before Spring Security 4.

How to configure Spring Security login using XML configuration?

Similarly, we can use the XML configuration: If we don't specify this, Spring Security will generate a very basic Login Form at the /login URL. 8.2. The POST URL for Login The default URL where the Spring Login will POST to trigger the authentication process is /login, which used to be /j_spring_security_check before Spring Security 4.

What is custom login in Spring Security?

Spring Security Custom Login. Spring Security provides it's own built-in login module to authenticate the user. It validates the user credentials and provide accessibility into the application. The login page rendered by the module is built-in.

2 Answers

In Spring Security 4.x login URL has changed to login instead of j_spring_security_check, see Migrating from Spring Security 3.x to 4.x (XML Configuration).

<form name='f'action="login" method='POST'>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
    <table>
        <tbody>
            <tr>
                <td>User Name</td>
                <td><input type="text" name="username" size="30" /></td>
            </tr>
            <tr>
                <td>Password</td>
                <td><input type="password" name="password" size="30" /></td>
            </tr>
            <tr>
                <td></td>
                <td><input type="submit" value="login" /></td>
            </tr>
        </tbody>
    </table>
</form>
like image 61
Yasitha Bandara Avatar answered Sep 19 '22 10:09

Yasitha Bandara

Maybe it's CORS issue ? whatever it is , you can check the request and the response by adding:

authentication-success-handler-ref="appLoginSuccessHandler" 
authentication-failure-handler-ref="appLoginFailureHandler"

to your spring security. it's should look like this:

<http use-expressions="true" disable-url-rewriting="true" >
    <logout invalidate-session="true" delete-cookies="true"/>
    <form-login login-page="/YOUR_login_PAGE"
        username-parameter="j_username"
        password-parameter="j_password"
        login-processing-url="/j_spring_security_check"
        authentication-failure-url="/YOUR_login_PAGE"
        default-target-url="/YOUR_login_PAGE" 
        authentication-success-handler-ref="appLoginSuccessHandler" 
        authentication-failure-handler-ref="appLoginFailureHandler"/>

It will call the correct methods on the appLoginSuccessHandler and appLoginFailureHandler services.

Example of service declaration: 

@Service("appLoginSuccessHandler")
public class LoginSuccessHandler extends 
SimpleUrlAuthenticationSuccessHandler{

@Override
public void onAuthenticationSuccess(
HttpServletRequest request, HttpServletResponse response, Authentication 
auth) throws IOException, ServletException{ ......
.....
.....
.....  Here you can handle also CORS ... and more ...
like image 35
Alon Asulin Avatar answered Sep 17 '22 10:09

Alon Asulin
Sign in to Comment

Related questions

Update Liquibase's changelog automatically while building
POSTing nested objects using spring data rest?
"Provider com.fasterxml.jackson.module.jaxb.JaxbAnnotationModule not found" after Spring Boot Upgrade
java.lang.ClassNotFoundException: org.hibernate.cache.CacheProvider exception while integrating spring and hiberate
@Autowired object gets a null value in one class, while successfully wired in another
How to scale NodeJS linearly on multiple cores?
Can I throw a custom error if a hystrix-protected call times out?
Spring RedisConnectionFactory with transaction not returning connection to Pool and then blocks when exhausted
Using Spring @Scheduled and @Async together
How to use direct streaming for SOAP with Spring-WS?
Spring JPA: Should the Save() method commit data to the database?
Can I find the URL for a spring mvc controller in the view layer?
Adding /src/main/resources to Classpath when Running Spring JUnit Tests from Eclipse
Spring/Hibernate @Transactional - Session closing before it should
How to inherit RequestMappings in a Spring 3 MVC REST API
Disabling certain aspects during unit test runs
JHipster: CORS fails on form login (actual request, not pre-flight)
Tips or tools for debugging Spring applications? [closed]
Spring MVC - Drop Down Object Selection - No primary identifier
Spring @Query annotation with enum parameter

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!