This is my spring security configuration class:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
DataSource dataSource;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery(
"select nickname,password, true from client where nickname=?")
.authoritiesByUsernameQuery(
"select username, role from user_roles where username=?");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/*")
.access("hasRole('ROLE_USER')");
http.formLogin()
.defaultSuccessUrl("/", true)
.loginPage("/login");
}
}
When I am trying to open my webpage I get this error:
The page isn't redirecting properly. Firefox has detected that the server is redirecting the request for this address in a way that will never complete. This problem can sometimes be caused by disabling or refusing to accept cookies.
When I delete configure method everything works fine.
Can anyone tell me how can I solve this ?
After
.loginPage("/login")
you should add
.permitAll();
Doing the above should fix your issues. As for why that was happening, it's because your loginPage
requires the user to be authenticated, which causes Spring to redirect the user to the loginPage
, and it loops from there. Firefox is just nice enough to stop the request when it detects that behavior.
I also suggest that you use .anyRequest()
instead of .antMatchers("/*")
.
The final result should look like this
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.access("hasRole('ROLE_USER')")
.and()
.formLogin()
.defaultSuccessUrl("/", true)
.loginPage("/login")
.permitAll();
}
There is a configuration problem.
You have a pattern for intercept-url "/*"
and ROLE_USER'
what means that if a user is not authorized - it will be redirected to login
page.
Application Context resolves login
page and finds out that /login
page matches "/*"
pattern, that should be intercepted and authenticated for ROLE_USER
. A user without authentication, evidently, doesn't have ROLE_USER
and redirected to /login
page and all over again.
Allowing unathorized users acces the login page should do the trick:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login")
.permitAll()
.antMatchers("/*")
.access("hasRole('ROLE_USER')");
http.formLogin()
.defaultSuccessUrl("/", true)
.loginPage("/login");
}
Pay attention to the order. More specific filters should be written first, or they will be 'shadowed' by wider filters and ignored.
permitAll()
could be applied to login
page directly omitting first matcher, as was already proposed:
.loginPage("/login").permitAll();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.