Reputation: 8431
I am manipulating an open source project in this repo. The file bank.sql
is the schema of the database in mysql. Here is the pom.xml
<!-- -->
I have a login form as below:
<form name="loginForm" class="form-login"
action="<c:url value="/j_spring_security_check" />" method="POST">
<h2>Please sign in</h2>
<c:if test="${not empty error}">
<div class="alert alert-danger">${error}</div>
<c:if test="${not empty msg}">
<div class="alert alert-info">${msg}</div>
<input type="text" class="form-control" placeholder="Username" name="username">
<input type="password" class="form-control" placeholder="Password" name="password" />
<button type="submit" class="btn btn-lg btn-primary btn-block" name="submit">Login</button>
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
The file Spring-Security.xml
is as below:
<beans:beans xmlns=""
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/user**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
<intercept-url pattern="/change**" access="hasRole('ROLE_NEWUSER')" />
<access-denied-handler error-page="/403" />
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<beans:bean id="bankCustomAuthenticationSuccessHandler"
class="" />
<password-encoder hash="sha" />
<jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password, enabled from users where username=?" authorities-by-username-query="select u.username, a.authority from users u, authorities a where u.username = a.username and u.username =?" />
<beans:import resource="spring-datasource.xml" />
<beans:bean id="passwordEncoder" class="">
<beans:constructor-arg value="sha" />
And there is a bean to obtain the datasource to provide it for Authentication-manager
such as below:
<beans xmlns=""
<bean id="dataSource"
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://localhost:3306/bank" />
<property name="username" value="root" />
<property name="password" value="" />
I am sure the MySQL Server is running on port 3306 well.
The correct credential is username:Tom
and password:Tom
but everytime I try to login with them it fails. I am wondering, what is wrong with my authentication process?
How can i fix it?
I guess, maybe the datasource bean is not created correctly, but i have no idea how to check it?
When i add the <http security="none" pattern="/login"/>
to my Spring-Security.xml
it complains with
HTTP Status 405 - Request method 'POST' not supported for (username, password) `(Tom, tom)`, which is not a valid credential. But for a valid credential like `(Tom,Tom)` is still navigates to the login page again.
but it happens
Upvotes: 2
Views: 1226
Reputation: 19
Your spring security config is right. The key for resolving this problem is understanding spring-security csrf protection strategy.More detail you can see [][1] source code.
Server side CSRF token repository is session based. It will generated when you first get request. Get request will not trigger CSRF validation, so it can pass.But if your client side token is wrong or empty server will prevent your any modify request(.eg POST,PUT,DELETE), response 403 state code.
Your error is caused by that your page is holding an old csrf token in the hidden input, and every login request is forwarded to an error page, so your client side csrf token can not be refreshed.
So simply, you can try refresh you login page and try login again.
Upvotes: 1
Reputation: 2984
You can do one change, try for and for Authentication-manager Authentication-manager
<security:authentication-manager alias="authManager">
<beans:bean id="daoAuthProvider"
<beans:property name="userDetailsService">
<beans:ref bean="userDetailsService" />
<beans:property name="passwordEncoder" ref="encoder"/>
<beans:bean id="userDetailsService"
<beans:property name="dataSource">
<beans:ref bean="coreDataSource" />
<beans:property name="usersByUsernameQuery">
SELECT username,password as password FROM userdetails WHERE
password != '' and username= ?
<beans:property name="authoritiesByUsernameQuery">
SELECT username,authority FROM authorities JOIN userdetails ON authorities.user_id = userdetails.user_id ..
WHERE userdetails.username= ? and
<security:http pattern="/admin/admin.jsp" security="none" />
<security:http pattern="/**/*.js" security="none" /> ..
<security:custom-filter ref="formAuthFilter"
<beans:bean id="formAuthFilter"
<beans:property name="authenticationManager" ref="authManager" />
<beans:property name="allowSessionCreation" value="true" />
<beans:property name="authenticationFailureHandler"
ref="authFailureHandler" /> <!-- define authFailureHandler -->
<beans:property name="authenticationSuccessHandler"
ref="authSuccessHandler" /><!-- define authSuccessHandler -->
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<!-- define userDAO, globalFilter-->
This is what exactly you are asking for. Please do not forget to accept the answer if you are satisfied or ask more if needed.
Upvotes: 1
Reputation: 11875
First of all, in Spring Security prior to version 4, default parameter names are j_username
and j_password
(like in the post you mentioned) and not username
In Spring Security 4, the default names are username
and password
, but the default URL to which UsernamePasswordAuthenticationFilter
binds is /login
and not /j_spring_security_check
So in all Spring Security versions, your URL and parameter names combination does not match the defaults.
Here is an example of how username-password authentication against a database may be configured: (for Spring Security 3.x)
Another example (much more short and simple), for Spring Security 4:
Basically, if you have a form-based authentication, it works like this:
and password as j_password
to /j_spring_security_check
processes submissions to /j_spring_security_check
URL. Once it gets a request (from login form), it extracts the parameters (username/password), packs them into UsernamePasswordAuthenticationToken
and feeds it to AuthenticationManager
for authentication.AuthenticationManager
checks access (JDBC can be used to check against a database, for example)Authentication
is constructed (which contains information about roles), saved, and AuthenticationSuccessHandler
is invoked; it gets that Authentication
resultUpvotes: 8