I cannot login using Spring Security

Question

I am having troubles when trying to log in my application using Spring Security, no matter what I do it always redirects me to the JSP I use for non-authorized access.

On the configuration of security-config.xml I tried hasRole('ROLE_USER') and permitAll and none of them worked either.

security-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
    xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">
    <http>
        <intercept-url pattern="/user/**" access="hasAnyRole('ROLE_USER') />
        <form-login login-page="/customLogin.jsp"
            login-processing-url="/appLogin" 
            username-parameter="app_username"
            password-parameter="app_password" 
            default-target-url="/user/home" />
        <logout 
            logout-url="/appLogout"
            logout-success-url="/customLogin.jsp" />
        <access-denied-handler error-page="/user/error" />
    </http>
    <beans:bean name="bcryptEncoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
    <beans:bean name="myAppUserDetailsService"
        class="com.prh.tracking.services.impl.UserDetailsServiceImpl" />
    <beans:bean name="userService"
        class="com.prh.tracking.services.impl.UserServiceImpl" />
    <authentication-manager>
        <authentication-provider
            user-service-ref="myAppUserDetailsService">
            <password-encoder ref="bcryptEncoder" />
        </authentication-provider>
    </authentication-manager>
    <global-method-security
        secured-annotations="enabled" />
</beans:beans>

UserController.java

@Controller
@RequestMapping("/user")
public class UserController {

    @Autowired
    private UserService userService;

    @RequestMapping(value="/home")
    public String home(ModelMap model, Authentication authentication) {

        authentication.getPrincipal();
        model.addAttribute("user", userService.getUser(authentication.getName()));

        return "user-info";
    }
    @RequestMapping(value="/error")
    public String error() {
        return "access-denied";
    }
}

UserDetailsServiceImpl.java

@Service
public class UserDetailsServiceImpl implements UserDetailsService{

    @Autowired
    private UserDAO userDAO;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        UserEntity user = userDAO.getUser(username);

        GrantedAuthority authority = new SimpleGrantedAuthority(user.getRole());
        UserDetails userDetails = (UserDetails)new User(user.getName(), user.getPassword(), Arrays.asList(authority));

        return userDetails;
    }

}

This is what I have in my Database:

Answer 1

When you set access to permitAll , you should not be even asked for credential and UserDetailsServiceImpl would not be consulted at all.

You may need to enable web security expressions like this: <http use-expressions="true">

See https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html#el-access-web