Spring security - can not get to the login page
Question
This is my spring security configuration class:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
DataSource dataSource;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery(
"select nickname,password, true from client where nickname=?")
.authoritiesByUsernameQuery(
"select username, role from user_roles where username=?");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/*")
.access("hasRole('ROLE_USER')");
http.formLogin()
.defaultSuccessUrl("/", true)
.loginPage("/login");
}
}
When I am trying to open my webpage I get this error:
The page isn't redirecting properly. Firefox has detected that the server is redirecting the request for this address in a way that will never complete. This problem can sometimes be caused by disabling or refusing to accept cookies.
When I delete configure method everything works fine.
Can anyone tell me how can I solve this ?
2 answers
solution1
2 2018-04-30 23:54:42
After
.loginPage("/login")
you should add
.permitAll();
Doing the above should fix your issues. As for why that was happening, it's because your loginPage requires the user to be authenticated, which causes Spring to redirect the user to the loginPage , and it loops from there. Firefox is just nice enough to stop the request when it detects that behavior.
I also suggest that you use .anyRequest() instead of .antMatchers("/*") .
The final result should look like this
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.access("hasRole('ROLE_USER')")
.and()
.formLogin()
.defaultSuccessUrl("/", true)
.loginPage("/login")
.permitAll();
}
solution2
1 ACCPTED 2018-04-30 23:49:35
There is a configuration problem.
You have a pattern for intercept-url "/*" and ROLE_USER' what means that if a user is not authorized - it will be redirected to login page.
Application Context resolves login page and finds out that /login page matches "/*" pattern, that should be intercepted and authenticated for ROLE_USER . A user without authentication, evidently, doesn't have ROLE_USER and redirected to /login page and all over again.
Allowing unathorized users acces the login page should do the trick:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login")
.permitAll()
.antMatchers("/*")
.access("hasRole('ROLE_USER')");
http.formLogin()
.defaultSuccessUrl("/", true)
.loginPage("/login");
}
Pay attention to the order. More specific filters should be written first, or they will be 'shadowed' by wider filters and ignored.
permitAll() could be applied to login page directly omitting first matcher, as was already proposed:
.loginPage("/login").permitAll();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.