Spring Boot和Spring Security inMemoryAuthentication不起作用

Question

I am trying to configure Spring boot with Spring security for an application.

However, inMemoryAuthentication() seems to be not working and for every user I have below error:

INFO 6964 --- [nio-8080-exec-6] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Fri Oct 16 19:09:41 IST 2015, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={message=Access is denied, type=org.springframework.security.access.AccessDeniedException}]

Below are the file configurations used:

SecurityConfig.java:

@Configuration
@EnableWebMvcSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {


    @Override
    public void configure( WebSecurity web ) throws Exception
    {
        //
        web
        .ignoring()
        .antMatchers( "/WEB-INF/jsp/**" );
    }

    @Autowired
    public void configureGlobal( AuthenticationManagerBuilder auth ) throws Exception
    {
          auth.inMemoryAuthentication()
                    .withUser("user").password("password").roles("USER");


    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http

            .authorizeRequests().antMatchers("/homepage**").hasRole("USER")
            .antMatchers("/index**").permitAll()
            .antMatchers("/login**").permitAll()

            .and()
            .formLogin()
            .loginPage( "/login" )
            .loginProcessingUrl( "/login" )
            .defaultSuccessUrl( "/index" );
        http.csrf().disable();

    }

Even application failed to login with given "user" and "password";

Spring boot version: 1.2.6
Editor: STS

With reference to Debug logs, inMemoryAuthencated user is showing as Anonymous user:

org.springframework.security.authentication.AnonymousAuthenticationToken@90576bf4: **Principal: anonymousUser**; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: FB03A4C352FC0164A5A3F751E52A5421; **Granted Authorities: ROLE_ANONYMOUS**

Any insight?

Answer 1

if you replace your custom login process with the auto-generated login page:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/homepage**").hasRole("USER")
        .antMatchers("/index**").permitAll()
        .antMatchers("/login**").permitAll()
        .and()
        .formLogin();
        //.loginPage( "/login" )
        //.loginProcessingUrl( "/login" )
        //.defaultSuccessUrl( "/index" );
    http.csrf().disable();
}

does the error still occurs ? if not, it seems to be a problem with your custom login process.