Spring security login always 200

Question

I try to login in my REST server with spring security, /login POST request return HTTP 200 always. Even if user with inputed login does not exist

    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
        log.info(s);
        UserDetails result = usersRepository.findByUsername(s).orElseThrow(() -> new UsernameNotFoundException("User not found"));
        log.info(result.toString());
        return result;
    }

        fetch("/login?username=" + this.state.username + "&password=" + this.state.password,
            {
                method: 'POST'
            }).then(resp => {
                if (resp.ok) {
                    localStorage.setItem("user", this.state.username);
                    this.props.history.push("/user");
                } else {
                    this.showError(resp.statusText);
                }
            });

Answer 1

Your Spring Security's AuthenticationProvider does not throws the required exception in case of UsernameNotFound and subsequently all your authentication requests are getting successful. The code should throw the required exceptions first of all and should have AuthenticationFailureHandler to handle those exceptions. For Authentication success, there must be AuthenticationSuccessHandler to show user logged in and redirect user to its home page.