127.0.0.1 vs localhost - Spring Security Login issue

Question

I am new to Spring and Spring Security. I've managed to create a simple application that lets the user login and logout. For testing purposes, I ran the server on my machine on port 8081. The authentication seems to work fine when I try to access the site through 127.0.0.1:8081, but it doesn't work when I try to access the site from localhost:8081

The security configuration is as follows

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/", "/css/**", "/js/**", "/images/**").permitAll()
                .antMatchers("/html/**", "/jsp/**").denyAll()
                .antMatchers("/register").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .permitAll()
                .loginPage("/loginPage")
                .loginProcessingUrl("/login")
                .defaultSuccessUrl("/dashboard")
                .and()
            .logout()
                .logoutSuccessUrl("/")
                .deleteCookies("JSESSIONID");
}

Debug output for 127.0.0.1:8081 when hitting a POST request for login is as follows

org.hibernate.SQL                        : select userdata0_.uid as uid1_0_, userdata0_.email as email2_0_, userdata0_.first_name as first_na3_0_, userdata0_.last_name as last_nam4_0_, userdata0_.password as password5_0_ from user_data userdata0_ where userdata0_.email=?
o.s.web.servlet.DispatcherServlet        : GET "/dashboard", parameters={}
s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to com.server.VController#getDashboard()
o.s.w.s.v.ContentNegotiatingViewResolver : Selected 'text/html' given [text/html, application/xhtml+xml, image/webp, image/apng, application/xml;q=0.9, application/signed-exchange;v=b3;q=0.9, */*;q=0.8]
o.s.w.servlet.view.InternalResourceView  : View name '/jsp/dashboard.jsp', model {}
o.s.w.servlet.view.InternalResourceView  : Forwarding to [/jsp/dashboard.jsp]
o.s.web.servlet.DispatcherServlet        : Completed 200 OK

But the debug output for localhost:8081 for the same request is

org.hibernate.SQL                        : select userdata0_.uid as uid1_0_, userdata0_.email as email2_0_, userdata0_.first_name as first_na3_0_, userdata0_.last_name as last_nam4_0_, userdata0_.password as password5_0_ from user_data userdata0_ where userdata0_.email=?
o.s.web.servlet.DispatcherServlet        : GET "/loginPage", parameters={}
s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to com.server.VController#getLoginPage()
o.s.w.s.v.ContentNegotiatingViewResolver : Selected 'text/html' given [text/html, application/xhtml+xml, image/webp, image/apng, application/xml;q=0.9, application/signed-exchange;v=b3;q=0.9, */*;q=0.8]
o.s.w.servlet.view.InternalResourceView  : View name '/html/loginpage.html', model {}
o.s.w.servlet.view.InternalResourceView  : Forwarding to [/html/loginpage.html]
o.s.web.servlet.DispatcherServlet        : "FORWARD" dispatch for GET "/html/loginpage.html", parameters={}
o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped to ResourceHttpRequestHandler ["classpath:/META-INF/resources/", "classpath:/resources/", "classpath:/static/", "classpath:/public/", "/"]
o.s.web.servlet.DispatcherServlet        : Exiting from "FORWARD" dispatch, status 200
o.s.web.servlet.DispatcherServlet        : Completed 200 OK

The request seems to loop back to the login page even if the credentials are correct. I cannot seem to figure out why this behaves so.

A related question here seems to mention the loopback address and localhost (issue is vice versa). But in my case, the problem is with authentication. Unauthenticated pages seem to work fine.

Edit 1: Weird enough, the issue seems to occur only with Chrome. The authentication works fine in Firefox/Safari.

The request headers sent by Firefox are

=== MimeHeaders ===
host = localhost:8081
user-agent = Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
accept = text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-language = en-US,en;q=0.5
accept-encoding = gzip, deflate
content-type = application/x-www-form-urlencoded
content-length = 53
origin = http://localhost:8081
connection = keep-alive
referer = http://localhost:8081/loginPage
cookie = zscookcsr=dc59fe1e-35a8-4633-8fae-fb2ef0962a00; JSESSIONID=BB5487443E0CE64F4FE889C3BA51320A
upgrade-insecure-requests = 1

On the other hand, the request headers sent by Chrome are

=== MimeHeaders ===
host = localhost:8081
connection = keep-alive
content-length = 53
cache-control = max-age=0
upgrade-insecure-requests = 1
origin = http://localhost:8081
content-type = application/x-www-form-urlencoded
user-agent = Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
accept = text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site = same-origin
sec-fetch-mode = navigate
sec-fetch-user = ?1
sec-fetch-dest = document
referer = http://localhost:8081/loginPage
accept-encoding = gzip, deflate, br
accept-language = en-US,en;q=0.9
cookie = ztcookcsr=e74ce2f0-b7d7-4f09-a1a7-0834c599e32d; Idea-7029dd45=276a767c-c715-4838-9756-45bea2bdafcc; Idea-407559eb=da31aa72-ff54-488a-b154-e909efb275c3

Before I try to clear cookies/data for the site, I would like to know why this behaves so.

what's at `localhost:8081`, if you see the same page or response then it's not a problem with your hostname resolution — 夢のの夢, Jul 07 '20 at 20:05
@夢のの夢 It's the all the same pages when not authenticated. The problem occurs only when trying to login. — Mohamed Safeuq J, Jul 08 '20 at 04:57

127.0.0.1 vs localhost - Spring Security Login issue

0 Answers0