Spring security creates infinite loop of 301 and 302 redirects to login page
Question
I have an application with Spring Boot 2.0.4.RELEASE, where some of urls are public, some others require authentication. It works fine, but when I've checked it with this tool -> https://www.redirect-checker.org/ when I'm checking my homepage or any subpage I get:
Result
https://www.myurl.com/
302
https://www.myurl.com/index
302
http://www.myurl.com/index
301 Moved Permanently
https://www.myurl.com/index
302
https://www.myurl.com/index
302
http://www.myurl.com/index
301 Moved Permanently
https://www.myurl.com/index
302
https://www.myurl.com/index
302
http://www.myurl.com/index
301 Moved Permanently
https://www.myurl.com/index
...
Here's my configuration:
@Configuration
@EnableWebSecurity
@EnableAutoConfiguration
@EnableScheduling
public class ApplicationConfig extends WebSecurityConfigurerAdapter {
private static final String[] GET_PUBLIC_URLS = {
"/",
"/resources/**",
...
};
private static final String[] POST_PUBLIC_URLS = {
"/password_reset",
...
};
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().disable()
.authorizeRequests()
.antMatchers(GET, GET_PUBLIC_URLS).permitAll()
.antMatchers(POST, POST_PUBLIC_URLS).permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
//do nothing
}
})
.loginPage("/index")
.usernameParameter("email")
.defaultSuccessUrl("/user_account", true)
.and()
.logout()
.permitAll();
}
...
}
I've also added additional settings in application.config
server.tomcat.protocol-header=x-forwarded-proto
server.use-forward-headers=true
In general that's all I could find on StackOverflow to solve my problem, but I'm still having redirect problem. Am I missing something here?
1 answers
solution1
0 2021-03-08 10:52:04
Ok, Configuration was not correct. Here's a good one:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().disable()
.authorizeRequests()
.antMatchers(GET, GET_PUBLIC_URLS).anonymous()
.antMatchers(POST, POST_PUBLIC_URLS).anonymous()
.and()
.formLogin()
.loginPage("/index")
.usernameParameter("email")
.defaultSuccessUrl("/user_account", true)
.and()
.logout()
.permitAll();
}
The problem was that public urls are public for everyone, so.anyRequest().authenticated() was incorrect, should be anonymous() in my case.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.