Spring security eating angularjs POST request

While using spring security custom login form, the parameters I passed from UI aren't accessible in HttpServletRequest.

class StatelessLoginFilter extends AbstractAuthenticationProcessingFilter {

    private final TokenAuthenticationService tokenAuthenticationService;
    private final CustomJDBCDaoImpl userDetailsService;

    protected StatelessLoginFilter(String urlMapping, TokenAuthenticationService tokenAuthenticationService,
            CustomJDBCDaoImpl userDetailsService, AuthenticationManager authManager) {
        super(new AntPathRequestMatcher(urlMapping));
        this.userDetailsService = userDetailsService;
        this.tokenAuthenticationService = tokenAuthenticationService;

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException, IOException, ServletException {

                final UsernamePasswordAuthenticationToken loginToken = new UsernamePasswordAuthenticationToken(
                request.getAttribute("email").toString(), request.getAttribute("password").toString());
        return getAuthenticationManager().authenticate(loginToken);

    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
            FilterChain chain, Authentication authentication) throws IOException, ServletException {

        final UserDetails authenticatedUser = userDetailsService.loadUserByUsername(authentication.getName());
        final UserAuthentication userAuthentication = new UserAuthentication(authenticatedUser);

        tokenAuthenticationService.addAuthentication(response, userAuthentication);

In AttemptAuthentication method request is not taking attributes I passed from the POST request using following code:

 var request = $http.post('/verifyUser', 
       {email: 'user', password: 'user',_csrf: $cookies['XSRF-TOKEN']})

I tried to track it using debugger console and found the payload populate with the elements I forwarded.


My security configuration is:


                //allow anonymous resource requests
                //allow anonymous POSTs to login
                .antMatchers(HttpMethod.POST, "/verifyUser").permitAll()

                .addFilterBefore(new StatelessLoginFilter("/verifyUser", new TokenAuthenticationService("456abc"), new CustomJDBCDaoImpl() , authenticationManager()), UsernamePasswordAuthenticationFilter.class)

                .addFilterBefore(new StatelessAuthenticationFilter(new TokenAuthenticationService("456abc")), UsernamePasswordAuthenticationFilter.class).httpBasic()
                         .and().csrf().disable().addFilterBefore(new CSRFFilter(), CsrfFilter.class);

EDIT # 1

I have also tried to use getParameter("email") instead of getAttribute("email") but, whole parameters map was empty at this point as well.

EDIT # 2: Adding request content

Remote Address:
Request URL:http://localhost/api/verifyUser/
Request Method:POST
Status Code:502 Bad Gateway
Response Headers
Date:Sun, 11 Oct 2015 17:23:24 GMT
Server:nginx/1.6.2 (Ubuntu)
Request Headers
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Form Data
The email and password data that you want are parameters, not attributes. Attributes in the ServletRequest are server-side only data that you can use in your application to pass data around between classes or to JSPs.

Note: You have to use the content type application/x-www-form-urlencoded and make sure that the request body is encoded in the correct format to use getParameter on the server side, eg email=user&password=user .

By default Angular will encode an object as JSON

Transforming Requests and Responses

Angular provides the following default transformations:

Request transformations ($httpProvider.defaults.transformRequest and $http.defaults.transformRequest):

If the data property of the request configuration object contains an object, serialize it into JSON format.

Also see How do I POST urlencoded form data with $http in AngularJS?

Difference between getAttribute() and getParameter()

