1

I have a template project I created long time ago. Project can be found on: here

All the libraries have been updated to a new versions expect spring security. If you checkout master branch go to localhost:8080/springdemo/index.htm application will redirect you to login page and once you enter demouser/demopass or userdemo/passdemo you will be logged in and redirected to index.htm.

Problem is when I update to Spring Security 4.2.3.RELEASE application does not work. This code is on spring-security-update branch. I tried a lot of online resources. Messed around with csrf token and disabled it for time being but was unable to get it to work.

Anybody has an idea why is spring security not working?

Thanks in advance

Ivan Dejanovic
  • 51
  • 5

1 Answers1

2

This is because of migration from version 3 to version 4. To make all this works you should do this:

1) in your index.jsp change form action from action='/springdemo/j_spring_security_check' to action='/springdemo/login'

2) in your index.jsp change input name from name='j_username' to name='username', same for name='j_password' -> name='password'

3) in your index.jsp change logout url from href="j_spring_security_logout" to href="logout"

Worked for me. Hope it helps

Leffchik
  • 1,950
  • 14
  • 16
  • Thanks a lot. This all works while csrf token is disabled. Once I uncomment it in login.jsp and put it back on in applicationContext-security.xml logout does not work. Logout seems to need the csfr token. Thank again you given me a breakthrough. – Ivan Dejanovic Jul 06 '17 at 18:56
  • 1
    @IvanDejanovic, yes acccording to spring documentation: _Adding CSRF will update the LogoutFilter to only use HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users._ It means, that you need to use POST form for logout with csrf token in it similar to login functionality – Leffchik Jul 06 '17 at 19:17
  • Btw, ajax calls not working either. Csrf token requires – Leffchik Jul 06 '17 at 19:18
  • @IvanDejanovic, to fix ajax requests you can go through [this spring manual](https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-include-csrf-token-ajax). Hope it helps! – Leffchik Jul 06 '17 at 19:20
  • 1
    You might want to add links to the documentation which clearly explain what needs to be upgraded. See http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html#m3to4-xmlnamespace-logout – M. Deinum Jul 07 '17 at 05:48