Understanding Spring redirects

Question

I encountered a small problem in my Spring application. I am using Spring Security to handle logins and logouts. It works very fine. My question is however about redirects in Spring. What I am talking about: By default, the Spring Security is configured in the way, that after successful logout, it redirects user to /login?logout which works totally fine, same for /login?error.

I am trying to implement a simple "Enter your email here to reset your password". The page resides at /resetPassword. Here is the relevant part of the template:

<form name="f" th:action="@{/resetPassword}" method="post" id="needs-validation" novalidate>
    <div class="form-group">
        <label for="email">Login email</label>
        <input type="email" id="email" name="email" class="form-control" required/>
    </div>
    <div class="form-actions">
        <button type="submit" class="btn btn-primary btn-block">Reset password</button>
    </div>
</form>

And my method that handles that looks like this:

@PostMapping("/resetPassword")
fun resetPasswordForEmail(@RequestParam("email") email: String): String {
    userFacade.resetPassword(email)
    return "redirect:/login?reset"
}

A method gets called, everything is fine, but: in the browser, I am not being redirected to /login?reset but I was redirected even further, more specifically back to /login. I can see that in developer tools in Chrome.

However, I do not know why that's happening. I also tried with RedirectAttributes, with returning RedirectView, but same result all the time.

Can anyone give me something to catch?

Answer 1

You're not loggedin so Spring security redirect you to the login. You must configure it with ROLE_ANONYMOUS to allow access to resetpassword page.