1

I am new to spring security, I am trying to implement security for my spring mvc application. The problem is I am routing to my custom login page and entering valid credentials but it again routing to the same login page. The below is the configurations.

web.xml

 <?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
 <display-name>SpringTiles</display-name>
 <welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
 </welcome-file-list>

 <servlet>
 <servlet-name>spring</servlet-name>
 <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
 <load-on-startup>1</load-on-startup>
 </servlet>
 <servlet-mapping>
 <servlet-name>spring</servlet-name>
 <url-pattern>/</url-pattern>
 </servlet-mapping>

 <listener>
 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 </listener>

 <context-param>
 <param-name>contextConfigLocation</param-name>
 <param-value>/WEB-INF/spring-security.xml
 </param-value>
 </context-param> 

 <filter>
 <filter-name>springSecurityFilterChain</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>
 <filter-mapping>
 <filter-name>springSecurityFilterChain</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>
 </web-app>

spring-security.xml

 <b:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd ">

 <b:bean id="springSecurityFilterChain" class="org.springframework.web.filter.DelegatingFilterProxy" />

 <http pattern="/login" security="none" />

 <http use-expressions="true">
 <intercept-url pattern="/**" access="isAuthenticated()" />
 <form-login login-page="/login" default-target-url="/welcome" authentication-failure-url="/login" /> 
 <logout logout-url="/logout" logout-success-url="/welcome" />
 <csrf disabled="true"/>
 </http>

 <authentication-manager>
 <authentication-provider>
 <user-service>
 <user name="admin" password="admin" authorities="Admin,User" />
 </user-service>
 </authentication-provider>
 </authentication-manager>

 </b:beans>

If I specify only <form-login/> and removed <http pattern="/login" security="none" /> application is working fine. But I want show my custom login page.

Login.jsp

 <form action="j_spring_security_check" method="POST" >
 <div class="form-group">
 <label for="exampleInputEmail1">User Name</label> 
 <input type="text" class="form-control" name="j_username" placeholder="Enter User Name" required="required">
 </div>

 <div class="form-group">
 <label for="exampleInputPassword1">Password</label> 
 <input type="password" class="form-control" name="j_password" placeholder="Password" required="required">
 </div>

 <button type="submit" style="width: 100%;background: #347AB6; font-size:1.1em;" class="btn btn-large btn btn-lg btn-block bg-primary" ><b>Login</b></button>
 </form>

 <font color="red">
 <span>${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}</span>
 </font>

Spring Framework version - 4.3.7.RELEASE And Spring Security version - 4.2.3.RELEASE

Please help where I am doing wrong.

Thank you.

Arjs
  • 45
  • 1
  • 9
  • What do you specify and remove when your app works fine? – Ram Mar 06 '18 at 16:50
  • Go through this example http://www.baeldung.com/spring-security-login. it might help you. – Ram Mar 06 '18 at 16:56
  • @MAC your example really helped a lot. @dur thanks for the update, your right I used `login` instead of `j_spring_security_check`. – Arjs Mar 06 '18 at 20:07
  • Hello, I come with a similar problem. My login worked before, using /login instead of /j_spring_security_check, however for some reason it just started redirecting me to /login instead of actually calling the Spring Security login even though I made sure to set it to the Spring Security login when typing it out. This just leaves me with clicking the login button and being brought back to the login page. Do you have an idea why? – David Landup Mar 12 '18 at 18:09

1 Answers1

1

I got to fix my issue with the help of the above link http://www.baeldung.com/spring-security-login

Here is my updated code

 <b:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd ">

 <b:bean id="springSecurityFilterChain" class="org.springframework.web.filter.DelegatingFilterProxy" />

 <http use-expressions="true">
 <intercept-url pattern="/login*" access="isAnonymous()" />
 <intercept-url pattern="/**" access="isAuthenticated()"/>
 <form-login login-page="/login" default-target-url="/homepage" authentication-failure-url="/login" 
 always-use-default-target="true" /> 
 <logout logout-url="/logout" logout-success-url="/login" />
 <csrf disabled="true"/>
 </http>

 <authentication-manager>
 <authentication-provider>
 <user-service>
 <user name="admin" password="admin" authorities="Admin,User" />
 </user-service>
 </authentication-provider>
 </authentication-manager>

 </b:beans>

Since j_spring_security_check is deprecated I have used `login' in my jsp action.

Arjs
  • 45
  • 1
  • 9
  • I'm glad to help you, @Arjs. Cheers!!! If you want to dig out more, here is the official link which explains all about custom login page with Spring Security https://docs.spring.io/spring-security/site/docs/current/guides/html5/form-javaconfig.html. – Ram Mar 07 '18 at 03:15
  • @MAC I want to implement healthcheck where it should not expect to be authenticated, how to do that? Health check url is /healthcheck. I am just wondering how to modify intercept-url... please help – Arjs Apr 30 '18 at 18:16
  • Instead of asking a new question here, you should frame a new question and ask separately. You will definitely get a quick answer. – Ram Apr 30 '18 at 21:02
  • I found it.. we have to config separate http node as like below – Arjs May 01 '18 at 01:57