I've Setup a Spring boot app using dependencies of Spring Security and Spring Web. I use for this example inMemoryAuthentication(). I setup 3 html pages and placed them in the Static folder (I'm not using Thymeleaf or JSP pages just plain html).
When I use default formLogin() , and run the app , I get the default login page of spring security , once I type user and password I'm able to get the destined page dash.html as expected.
When I use a customized formLogin() , run the app , I get status 403 type Forbidden:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Dec 12 10:10:14 IST 2019 There was an unexpected error (type=Forbidden, status=403).
Forbidden
I searched in StackOverflow , also searched in the link below , but didn't see any solution (In the link it uses Thymeleaf , whereas I'm using HTML pages placed in the resources/static folder)
Did someone have this issue also ?
Please Advise,
Regards, Shalem
Related Data and Code:
I setup Spring Security code as follows:
package com.rc1.conig;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("shalem")
.password(passwordEncoder().encode("12"))
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/dash/**").authenticated()
.and()
.formLogin()
.loginPage("/mylogin")
.permitAll();
}
}
- Controllers Code :
package com.rc1.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class DashController {
@RequestMapping("/dash")
public String getDashboard() {
return "dash.html";
}
}
package com.rc1.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class LoginController {
@RequestMapping("/mylogin")
public String getLogin() {
return "login-page.html";
}
}
* HTML Pages:
<!-- index.html page -->
<!DOCTYPE html>
<html>
<head>
<meta charset="windows-1255">
<title>Home</title>
</head>
<body>
<h1>Home Page</h1>
<h3>
<a href="http://localhost:8080/dash">dashboard</a>
</h3>
</body>
</html>
<!-- Customized login-page.html -->
<!DOCTYPE html>
<html>
<head>
<meta charset="windows-1255">
<title>mylogin</title>
</head>
<body>
<form action="http://localhost:8080/mylogin" method="post">
<p>
user: <input type="text" name="user">
</p>
<p>
pass :<input type="password" name="password">
</p>
<button type="submit">login</button>
</form>
</body>
</html>
<!-- dash.html page -->
<!DOCTYPE html>
<html>
<head>
<meta charset="windows-1255">
<title>Insert title here</title>
</head>
<body>
<h1>dashboard receieved</h1>
</body>
</html>
If you want to use a custom login page, then you should specify where username and password submitted to. So, just change here,
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/dash/**").authenticated()
.and()
.formLogin()
.loginPage("/mylogin")
.loginProcessingUrl("/perform_login")
.defaultSuccessUrl("/homepage")
.permitAll();
}
After that, any anonymous user hit any authenticated url, then redirect to
/mylogin
after that user put username and password then that username and password submitted to
/perform_login
If credential are valid then redirect to
/homepage
otherwise go back to
/mylogin
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.