Reputation: 171
I'm using the Spring 4 and trying to setup Spring Security to my application. I've never done it before, so I have no idea what I'm doing wrong.
In my pom.xml I;ve added Spring security like this:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
I've alse added it to web.xml file:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.context.WebApplicationContext.ROOT</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
And I have also implemented spring-security.xml file:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http disable-url-rewriting="false">
<headers disabled="true"/>
<csrf disabled="true"/>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_EMPLOYEE')"/>
<form-login login-page="/login"
default-target-url='/user'
always-use-default-target='true' />
<logout logout-url="/j_spring_security_logout"/>
</http>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider>
<password-encoder ref="encoder"/>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select email,password, enabled from users where email=?"
authorities-by-username-query=
"select email, role from user_roles where email =? " />
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean>
In LoginController I have method:
@RequestMapping("/login")
public String login() {
return "login";
}
And last, there is my login.jsp file:
<c:url var="loginUrl" value="/j_spring_security_check" />
<form action="${loginUrl}" method="post">
<p>
<label for="j_username">User:</label>
</p>
<input type="text" id="j_username" name="j_username" />
<p>
<label for="j_password">Password:</label>
</p>
<input type="password" id="j_password" name="j_password">
<p>
<label for="_spring_security_remember_me">Remember Me</label>
</p>
<input type="checkbox" id="_spring_security_remember_me" name="_spring_security_remember_me" />
<div>
<input name="submit" type="submit" />
</div>
</form>
After loading login page and submitting correct email and password I still stay on a same page and nothing happens. Any ideas? From console I get this:
22:42:33.006 [tomcat-http--29] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9056f12c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: BDB553F099DA8716E7F821D89E5E51E8; Granted Authorities: ROLE_ANONYMOUS'
22:42:33.010 [tomcat-http--13] DEBUG o.s.s.w.s.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/project/resources/core/css/login.css]
22:42:33.010 [tomcat-http--29] DEBUG o.s.security.web.FilterChainProxy - /resources/core/css/bootstrap.min.css at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
22:42:33.012 [tomcat-http--13] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Calling Authentication entry point.
22:42:33.013 [tomcat-http--29] DEBUG o.s.security.web.FilterChainProxy - /resources/core/css/bootstrap.min.css at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
22:42:33.013 [tomcat-http--13] DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to 'http://localhost:8080/project/login'
22:42:33.014 [tomcat-http--29] DEBUG o.s.security.web.FilterChainProxy - /resources/core/css/bootstrap.min.css at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
22:42:33.014 [tomcat-http--13] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
22:42:33.014 [tomcat-http--29] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/resources/core/css/bootstrap.min.css'; against '/login'
22:42:33.014 [tomcat-http--13] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
22:42:33.014 [tomcat-http--29] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /resources/core/css/bootstrap.min.css; Attributes: [hasRole('ROLE_EMPLOYEE')]
22:42:33.015 [tomcat-http--29] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9056f12c: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: BDB553F099DA8716E7F821D89E5E51E8; Granted Authorities: ROLE_ANONYMOUS
22:42:33.015 [tomcat-http--29] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7f10fd8, returned: -1
22:42:33.016 [tomcat-http--29] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
Upvotes: 1
Views: 535
Reputation: 48287
In Spring Security 4, the parameter names changed from j_username
and j_password
to username
and password
, respectively. So rename your html input variables.
Please don't disable CSRF protection! :) Add this to your forms:
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
Or use spring's <form:form>
forms
Upvotes: 3