Paul Croarkin
Paul Croarkin

Reputation: 14675

Spring Security Not Working After Upgrading to 3.2.0.RC2

I just upgraded from Spring Security 3.2.0.RC1 to 3.2.0.RC2. Everything worked fine under RC1. Under RC2, my custom login page no longer works. The login page is just redislayed after clicking the Login button. If invalid credentials (or no credentials) are submitted, it also redisplays without any error message. Before it would correctly display an error message if the credentials were incorrect.

What is interesting is if I change from:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    // @formatter:off

    httpSecurity
        .authorizeRequests()
            .antMatchers("/restricted/**").hasRole("admin"))
            // all requests must be authenticated
            .anyRequest().authenticated()
    .and()
        .formLogin()
            .loginPage("/myLoginUrl.request")
            .failureUrl("/myLoginUrl.request?error")
            .permitAll()
    .and()
        .logout()
            .permitAll()
            .logoutSuccessUrl("/myLoginUrl.request")
    ;
    // @formatter:on
}

to:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    // @formatter:off

    httpSecurity
        .authorizeRequests()
            .antMatchers("/restricted/**").hasRole("admin"))
            // all requests must be authenticated
            .anyRequest().authenticated()
    .and()
        .formLogin()
            .permitAll()
    .and()
        .logout()
            .permitAll()
            .logoutSuccessUrl("/myLoginUrl.request")
    ;
    // @formatter:on
}

The default Spring Security login page is displayed and works. I've looked at the source of the default page and compared it to my custom page and it seems to call the same action with fields with the same names.

If I step through the debugger, I find that in AntPathMatcher.java, public boolean matches(HttpServletRequest request):

String url = getRequestPath(request)

The url returned is "/error" when using my custom login page. getRequestPath() just returns request.getServletPath() appended to request.getPathInfo(). I'm not sure why upgrading to RC2 would cause this to return "/error".

Upvotes: 0

Views: 723

Answers (1)

Paul Croarkin
Paul Croarkin

Reputation: 14675

There were three things that I changed that made this work.

1) Added a CSRF hidden field to the form:

<input type="hidden" name="${_csrf.parameterName}"
    value="${_csrf.token}" /> 

2) Capitalized POST for the form method:

<form action="login" method="POST">

3) Explicitly added loginProcessingUrl to the configuration:

.formLogin()
        .loginPage("/myLoginUrl.request")
        .loginProcessingUrl("/login")
        .failureUrl("/myLoginUrl.request?error")
        .permitAll()

Upvotes: 1

Related Questions