0

I am trying to apply spring security login config to my application but while applying the config I am not able to redirect to success page

abc_security_config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:jee="http://www.springframework.org/schema/jee"
    xmlns:lang="http://www.springframework.org/schema/lang"
    xmlns:p="http://www.springframework.org/schema/p"
    xmlns:util="http://www.springframework.org/schema/util"
    xmlns:s="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang.xsd
        http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd
        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <s:global-method-security pre-post-annotations="enabled" secured-annotations="enabled" proxy-target-class="true"/>

    <s:http auto-config="true"  use-expressions="true">
        <s:intercept-url pattern="/login" access="permitAll"></s:intercept-url>
        <s:intercept-url pattern="/logout" access="permitAll"></s:intercept-url>
        <s:intercept-url pattern="/accessdenied" access="permitAll"></s:intercept-url>
        <s:intercept-url pattern="/**" access="hasRole('ROLE_USER')"></s:intercept-url>
        <!-- <s:form-login login-page="/login" default-target-url="/list" authentication-failure-url="/accessdenied"></s:form-login> -->
        <s:form-login login-page="/login" authentication-success-forward-url="/home"  default-target-url="/home" authentication-failure-url="/login.html?error=true"></s:form-login> 

        <s:logout logout-success-url="/logout" delete-cookies="JSESSIONID"></s:logout>
        <s:csrf/>
    </s:http>
    <s:authentication-manager alias="authenticationManager">
        <!-- <s:authentication-provider user-service-ref="customPreAuthUserDetailsService" /> -->
        <s:authentication-provider>
            <s:user-service>
                <s:user name="abc" password="test" authorities="ROLE_USER" />
            </s:user-service>
        </s:authentication-provider>
    </s:authentication-manager>
</beans>

Web.xml 

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    id="WebApp_ID" version="3.0">
    <display-name>Archetype Created Web Application</display-name>


    <servlet>
        <servlet-name>recon</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                /WEB-INF/configuration/abc-servlet.xml
                /WEB-INF/configuration/abc_security_config.xml
            </param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>recon</servlet-name>
        <url-pattern>/</url-pattern>
        <!-- <url-pattern>/recon/*</url-pattern> -->
    </servlet-mapping>
    <!-- Spring Servlet Configuration : END --> 
    <!-- Spring Security : Start -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- Spring Security : End -->
    <context-param>
        <param-name>defaultHtmlEscape</param-name>
        <param-value>true</param-value>
    </context-param>    
    <welcome-file-list>
        <welcome-file>/index.jsp</welcome-file>
    </welcome-file-list>
    <session-config>
        <session-timeout>5</session-timeout>
    </session-config>

</web-app>

UserController.java

@Controller
//@RequestMapping(value = "/user")
public class UserController {

    private final Logger logger = LoggerFactory.getLogger(UserController.class);

    @Resource(name = "userService")
    private UserService usrService;

    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public String login(ModelMap model) {
        System.out.println("::::::::::Controller Login::::::::::");
        return "login";
    }

    @RequestMapping(value = "/", method = RequestMethod.GET)
    public String defaultPage(ModelMap map) {
        return "redirect:/home";
    }

    @RequestMapping(value = "/home", method = RequestMethod.GET)
    public String listEmployees(ModelMap map) {
        return "home";
    }

    @RequestMapping(value = "/logout", method = RequestMethod.GET)
    public String logout(ModelMap model) {
        return "logout";
    }
}

Login.jsp (It is configured in the tiles.xml as a tiles definition)

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %>
<%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %>

<html>
    <body>
        <h1 id="banner">Login to Security Demo test</h1> 
        <form name="f" action="<c:url value='j_spring_security_check'/>"
                    method="POST">
            <table>
                <tr>
                    <td>Username:</td>
                    <td><input type='text' name='j_username' /></td>
                </tr>
                <tr>
                    <td>Password:</td>
                    <td><input type='password' name='j_password'></td>
                </tr>
                <tr>
                    <td colspan="2">&nbsp;</td>
                </tr>
                <tr>
                    <td colspan='2'><input name="submit" type="submit">&nbsp;<input name="reset" type="reset"></td>
                </tr>
            </table>
            <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />

        </form>
    </body>
</html>
  1. When I put correct username and pwd it redirects to same page.
  2. One more thing that I observed is, on the Eclipse console I am getting Print statement ::::::::::Controller Login:::::::::: 6 times instead of 1.

Is there any config I am missing ?

gohil90
  • 517
  • 5
  • 16
Karn Kumar
  • 13
  • 1
  • 10
  • I had a similar problem with controllers being called numerous times a while back and I think it was to do with including spring-boot-devtools. If this is a part of your build, comment this dependency out and see if that solves the problem. – karen Feb 09 '18 at 13:46
  • @dur `login-processing-url` param of `form-login` element is not configured, so calling `/j_spring-security-check` (the default value) sounds OK for me – jlumietu Feb 12 '18 at 00:33
  • @dur Sorry but you are not right. Even if `spring-security`config xsd claim that, if you check the javadoc https://docs.spring.io/spring-security/site/docs/3.2.10.RELEASE/apidocs/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.html or the github repo https://github.com/spring-projects/spring-security/blob/3.2.10.RELEASE/web/src/main/java/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.java you could check that `j_spring_security_check` was not changed to `login` until v4.x. So the key here is which version is been used – jlumietu Feb 12 '18 at 11:00
  • @dur Don't worry! The thing here is that even in online xsd's corresponding to versions 3.x the default url has been changed... whilst the code has not. In xsd's inner to config jars it is still `j_spring_security_check`, like in source code... That's a complete mess. – jlumietu Feb 12 '18 at 11:12
  • @jlumietu : I have used below spring & spring security version 4.3.13.RELEASE 4.2.3.RELEASE Is anything wrong I am doing here ? – Karn Kumar Feb 13 '18 at 09:50
  • See https://stackoverflow.com/questions/29554850/spring-security-4-custom-login-j-spring-security-check-return-http-302 – dur Feb 13 '18 at 10:20
  • This one handles more migration problems: https://stackoverflow.com/questions/34270778/spring-security-rest-basic-authentication – dur Feb 13 '18 at 10:23
  • Start changing form's `action` from `j_spring_security_check` to `login`. And have a look at @dur provided links – jlumietu Feb 13 '18 at 10:46
  • Thanks @jlumietu for your response. I changed by action and "j_*" parameters to the one in spring 4. – Karn Kumar Mar 03 '18 at 05:56

0 Answers0