Too many redirects with own login form - Spring Security

Question

I would like to make own login form. When I'm changing login page I can't open it. Google Chrome told me that there is too many redirects to this page...

My code:

@RequestMapping(value="/login", method = RequestMethod.GET)
public ModelAndView loginPage() {
    ModelAndView modelAndView = new ModelAndView("login");
    return modelAndView;
}

@RequestMapping(value="/loginError", method = RequestMethod.GET)
public ModelAndView loginErrorPage() {
    ModelAndView modelAndView = new ModelAndView("login");
    modelAndView.addObject("error", "true");
    modelAndView.addObject("msg", "invalid login credentials");
    return modelAndView;
}

settings:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable().authorizeRequests()
            .antMatchers("/**").access("hasRole('ROLE_USER')")
            .and().formLogin().loginPage("/login").defaultSuccessUrl("/index").failureUrl("/loginError");
}

and login form:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
         pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>Insert title here</title>
</head>
<body>
<c:if test="${error eq 'true'}">
    ${msg}
</c:if>
<form name='loginForm' action="<c:url value='j_spring_security_check' />"
      method='POST'>

    <table>
        <tr>
            <td>User Name:</td>
            <td><input type='text' name='j_username' value=''>
            </td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type='password' name='j_password' />
            </td>
        </tr>
        <tr>
            <td><input name="submit" type="submit"
                       value="submit" />
            </td>
            <td><input name="reset" type="reset" />
            </td>
        </tr>
    </table>

</form>
</body>
</html>

Could you tell me where is the problem? I studied a lot of tutorials but always the same problem. To many redirects...

BTW. IntelliJ cant resolve: j_spring_security_chec

Answer 1

As stated in the manual you need to permit requests to the login page otherwise it will just go into an endless loop:

http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#jc-form

We must grant all users (i.e. unauthenticated users) access to our log in page. The formLogin().permitAll() method allows granting access to all users for all URLs associated with form based log in.

protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeRequests()
        .antMatchers("/**").access("hasRole('ROLE_USER')")
            .and().formLogin().loginPage("/login").permitAll()
                .defaultSuccessUrl("/index").failureUrl("/loginError");       
}