SPRING SECURITY - ALWAYS MOVING TO authentication-failure-url

Question

I am new to spring security and i am learning it by writing some sample code. But the problem is securityContext is always redirecting me to authentication-failure-url. cant understand what's wrong with the code.

here are the snippets

SecurityContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<http auto-config="true">
    <intercept-url pattern="/userhome**" access="ROLE_USER" />
    <form-login login-page="/"
        login-processing-url="/login"
        username-parameter="username"
        password-parameter="password" 
        default-target-url="/userhome" 
        authentication-failure-url="/login.do?error" 
        always-use-default-target="true"
         />

    <logout logout-success-url="/login.do?logout" />





    <!-- enable csrf protection -->
    <csrf />
</http>

<authentication-manager>
    <authentication-provider>
      <user-service>
        <user name="u" password="u" authorities="ROLE_USER" />
      </user-service>
    </authentication-provider>
</authentication-manager>

Controller Class : UsersLoginController

import javax.servlet.http.HttpServletRequest;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class UsersLoginController {


@RequestMapping(value = "/login.do", method = RequestMethod.GET)
public ModelAndView login(@RequestParam(value = "error", required = false) String error,@RequestParam(value = "logout", required = false) String logout , HttpServletRequest request) {

    System.out.println(request.getParameter("username"));
    System.out.println(error);

    ModelAndView model = new ModelAndView();
    if (error != null) {
        model.addObject("error", "Invalid username and password!");
    }

    if (logout != null) {
        model.addObject("msg", "You've been logged out successfully.");
    }
    model.setViewName("/index");



    return model;

}


@RequestMapping(value = "/userhome", method = RequestMethod.GET)
public ModelAndView userhome() {

    ModelAndView model = new ModelAndView();

    model.setViewName("/WEB-INF/jsp/LoginCheck/UserHome");



    return model;

}




}

index.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %>
<%@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="core" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</head>
<body>

<form:form action="./login" method="GET" >

<table align="Center">

<tr><td id="tdlogin">Email Address</td><td><input type=text name="username" id="username"/> </td></tr>
<tr><td id="tdlogin">Password</td><td><input type=text name="password" id="password"/> </td></tr>

<tr><td></td><td><input type="checkbox" name="staySignIn" value="staySignIn"> Stay Sign In </td></tr>
<tr><td></td><td><input type="Submit" id="Submit" Value="SUMBIT"> </td></tr>

</table>

</form:form>

    <core:if test="${not empty error}">
        <div class="error">${error}</div>
    </core:if>
    <core:if test="${not empty msg}">
        <div class="msg">${msg}</div>
    </core:if>

</body>
</html>

any suggestions regarding how to make things work would be appreciated.

thanks in advance.

Answer 1

Your login-processing-url is /login and you have GET instead of POST on your login page form goes to /login.do . Correct this

<form-login login-page="/"
        login-processing-url="/login"
        username-parameter="username"
        password-parameter="password" 
        default-target-url="/userhome" 
        authentication-failure-url="/login.do?error" 
        always-use-default-target="true"
         />

Login Form must also change

<form:form action="/login" method="POST" >

<table align="Center">

<tr><td id="tdlogin">Email Address</td><td><input type=text name="username" id="username"/> </td></tr>
<tr><td id="tdlogin">Password</td><td><input type=text name="password" id="password"/> </td></tr>

<tr><td></td><td><input type="checkbox" name="staySignIn" value="staySignIn"> Stay Sign In </td></tr>
<tr><td></td><td><input type="Submit" id="Submit" Value="SUMBIT"> </td></tr>

</table>

</form:form>

    <core:if test="${not empty error}">
        <div class="error">${error}</div>
    </core:if>
    <core:if test="${not empty msg}">
        <div class="msg">${msg}</div>
    </core:if>

</body>
</html>

Answer 2

Are the username and password parameter names correct in mvc config correct?

    username-parameter="username" password-parameter="password"

Here is a very good tutorial

http://www.journaldev.com/2736/spring-mvc-security-example-using-in-memory-userdetailsservice-and-jdbc-authentication