spring-security force “http” authentication

Question

I can't log in using spring-security.

The error is (in Mozilla)

The connection was interrupted

The connection to 127.0.0.1:8180 was interrupted while the page was loading.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Recently I've added a service that will get users from database. before it always was ok, but now I'm stunned. Please show me where to dig.

the url where I get this error is:

https://localhost:8180/j_spring_security_check

spring-security.xml

<http auto-config="true">
    <http-basic/>
    <intercept-url pattern="/sec/moderation.html" access="ROLE_MODERATOR"/>
    <intercept-url pattern="/admin/*" access="ROLE_ADMIN"/>
    <intercept-url pattern="/treeview" access="ROLE_ADMIN"/>

    <form-login login-page="/login" default-target-url="/home" authentication-failure-url="/error"/>
    <logout logout-success-url="/home"/>
</http>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="customUserDetailsService">
        <password-encoder hash="plaintext"></password-encoder>
    </authentication-provider>
</authentication-manager>

CustomUserDetailsService.java

    @Service
@Transactional(readOnly=true)
public class CustomUserDetailsService implements UserDetailsService {

@Autowired
private UserDao userDao;


@Override
public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException {

    UserEntity domainUser = userDao.getUser(login);

    boolean enabled = true;
    boolean accountNonExpired = true;
    boolean credentialsNonExpired = true;
    boolean accountNonLocked = true;

    return new User(
            domainUser.getLogin(),
            domainUser.getPassword(),
            enabled,
            accountNonExpired,
            credentialsNonExpired,
            accountNonLocked,
            getAuthorities(domainUser.getRole())
    );
}

public Collection<? extends GrantedAuthority> getAuthorities(Integer role) {
    List<GrantedAuthority> authList = getGrantedAuthorities(getRoles(role));
    return authList;
}

public List<String> getRoles(Integer role) {

    List<String> roles = new ArrayList<String>();

    if (role.intValue() == 1) {
        roles.add("ROLE_MODERATOR");
        roles.add("ROLE_ADMIN");
    } else if (role.intValue() == 2) {
        roles.add("ROLE_MODERATOR");
    }
    return roles;
}

public static List<GrantedAuthority> getGrantedAuthorities(List<String> roles) {
    List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();

    for (String role : roles) {
        authorities.add(new SimpleGrantedAuthority(role));
    }
    return authorities;
}

}

Ia there an ability to disable https for /j_spring_security_check ?

Answer 1

The default login page generated by spring security does not use https, so I presume you use a custom page. The requirement for https must be in the <form action="..."> element of that page.