Robert
Robert

Reputation: 8693

Spring Security UserDetailsService not called

I'm upgrading from Spring Security 3.2.5 to 4.0.4, working with the migration guide.

My UserDetailsService looks like this:

package com.me.security;

import org.springframework.security.core.userdetails.UserDetailsService;

public class Users implements UserDetailsService {
    public Users() {
        System.err.println("USERS CONSTRUCTOR");
    }

    @Override
    public UserDetail loadUserByUsername(String name) {
        System.err.println("LOAD BY USER NAME " + name);
        throw new UsernameNotFoundException("User not found.");
    }
}

My WEB-INF/applicationContext.xml has this:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <security:http disable-url-rewriting="true" use-expressions="false">
        <security:intercept-url pattern="/auth/**" access="ROLE_ANONYMOUS"/>
        <security:intercept-url pattern="/dashboard/**" access="ROLE_ADMIN,ROLE_USER"/>
        <!-- ...more intercept-urls... -->

        <security:access-denied-handler error-page="/pages/general/403.xhtml"/>

        <security:form-login login-page="/auth/login.html"
            username-parameter="j_username"
            password-parameter="j_password"
            login-processing-url="/j_spring_security_check"
            default-target-url="/dashboard/"
            authentication-failure-url="/auth/error.html"/>

        <security:logout logout-success-url="/auth/login.html"
            logout-url="/auth/login.html"
            delete-cookies="JSESSIONID"
            invalidate-session="true" />

        <security:session-management invalid-session-url="/auth/login.html"/>
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider user-service-ref='userDetailsService'/>
    </security:authentication-manager>

    <bean id="userDetailsService" class="com.me.security.Users"/>
</beans>

When I try to log in, my code does not get called. I do see the message from the Users constructor in the server logs, but not the one from its loadUserByUsername method.

Instead, no matter what I enter for user name and password, I get to my 403 error page.

(Maybe I've been looking at this for too long already...)

Why doesn't Spring call my UserDetailsService and what do I need to get it to work?

Upvotes: 1

Views: 2236

Answers (1)

jlumietu
jlumietu

Reputation: 6444

It sounds to be the csrf filter. In Spring Security 4.x it is activated by default: Migrating from Spring Security 3.x to 4.x. This may be problem if you are allways getting an HTTP 403.

Try disabling setting this inside the security:http element:

<csrf disabled="true"/>

Upvotes: 5

Related Questions