Spring Security lgoin always redirecting to authentication failure URL

Question

I am rather new to programming so please help me out a bit here.

I have configured Spring Security to fetch user details from the database and when I try to login with the following accounts:

• user1 - password1
• admin - password1

The authentication fails as it always redirect me to home.jsp/OPS=999 which is my login page. The user record exists in the database but I cannot seem to log in.

This is my security config xml file.

 <http auto-config="true">
     <form-login login-page='/home.jsp?OPS=9999' default-target-url='/secure/user.jsp' always-use-default-target='true' />
     <logout logout-success-url="/home.jsp" logout-url="/j_spring_security_logout" />
 </http>

<authentication-provider>
    <jdbc-user-service data-source-ref="Application.DataSource2" users-by-username-query="select USERNAME, PASSWORD from USER where lower(USERNAME) = lower(?)"/>
</authentication-provider>

I am doing it without the authentication/authorities for now as the login is not working. What could be some of the possible reasons for the authentication failure? could database connection play a part? please help me out.

Thank you in advance!

Answer 1

I suggest to add another intercept-url . And it should look like this below:

<http auto-config="true" 
      use-expressions="true"
      disable-url-rewriting="true">

    <intercept-url pattern="/home.jsp**" access="isAnonymous()"/>
    <intercept-url pattern="/secure/extreme/**" access="hasRole('ROLE_OPERATOR')" />
    <intercept-url pattern="/secure/**" access="hasRole('ROLE_USER')" />
    <intercept-url pattern="/**" access="isAuthenticated()" />

    <form-login login-page='/home.jsp?OPS=9999' default-target-url='/secure/user.jsp' always-use-default-target='true' />
    <logout logout-success-url="/home.jsp" logout-url="/j_spring_security_logout" />
</http>

Answer 2

Try setting authentication provider to authentication manager by creating a bean like..

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService" />
</authentication-manager>

<beans:bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <property name="usersByUsernameQuery" value="select USERNAME, PASSWORD, 1 from USER where lower(USERNAME) = lower(?)"/>
    <property name="authoritiesByUsernameQuery" value="SELECT USERNAME, ROLE as authorities FROM USER u, USER_ROLE ur, ROLE r WHERE u.ID = ur.USER_ID AND ur.ROLE_ID = r.ID AND lower(USERNAME) = lower(?)" />
    <property name="dataSource" ref="Application.DataSource2" />
</beans:bean>

Answer 3

Realised that the users-by-username-query in the applicationContext-security xml file was missing a enabled column, basically spring security expects 3 columns from the statement and i was missing the enabled column.

so the correct sql statement should be: "select USERNAME, PASSWORD, STATUS from USER where lower(USERNAME) = lower(?)"

status column is of type boolean. (1=enabled, 0=disabled)

Hope it will help someone out there :)

Thanks for all the help everyone!