Reputation: 65
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Resource(name = "userService")
private UserDetailsService userDetailsService;
private JwtAuthenticationEntryPoint unauthorizedHandler;
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
public void globalUserDetails(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception {
.usersByUsernameQuery("select login as principal, mot_de_passe as credentials, flag_compte_actif as enabled from utilisateur where login = ?")
.authoritiesByUsernameQuery("SELECT utilisateur.login as principal, profil.designation as role FROM utilisateur INNER JOIN user_profil ON utilisateur.id_user = user_profil.iduserpk INNER JOIN profil ON user_profil.idprofilpk = profil.id_profil WHERE utilisateur.login = ? ")
public JwtAuthenticationFilter authenticationTokenFilterBean() throws Exception {
return new JwtAuthenticationFilter();
protected void configure(HttpSecurity http) throws Exception {
System.out.println("Akal configure method begin");
//http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class);
System.out.println("Akal configure method");
.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class);
// @Bean
// public BCryptPasswordEncoder passwordEncoder(){
// return new BCryptPasswordEncoder();
// }
public static NoOpPasswordEncoder passwordEncoder() {
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
public class AuthenticationController {
private AuthenticationManager authenticationManager;
private JwtTokenUtil jwtTokenUtil;
private UtilisateurRepository userRepo;
@PostMapping(value = "/token/generate")
public ResponseEntity<?> register(@RequestBody LoginUser loginUser) throws AuthenticationException {
System.out.println("We're in man!");
final Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
System.out.println("(Username, Password): (" + loginUser.getUsername() + ", " + loginUser.getPassword() + ")");
final Utilisateur user = userRepo.findByLogin(loginUser.getUsername());
final String token = jwtTokenUtil.generateToken(user);
System.out.println("Token Controller Access=> Token Generated: " + token);
return ResponseEntity.ok(new AuthToken(token));
public class AuthToken {
private String token;
public AuthToken(){
public AuthToken(String token){
this.token = token;
public String getToken() {
return token;
public void setToken(String token) {
this.token = token;
public class CorsFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
System.out.println("Filtering on...........................................................");
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
//response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, Authorization, Origin, Accept, Access-Control-Request-Method, Access-Control-Request-Headers");
chain.doFilter(req, res);
public void init(FilterConfig filterConfig) {}
public void destroy() {}
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint, Serializable {
public void commence(HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException) throws IOException {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
public class JwtAuthenticationFilter extends OncePerRequestFilter {
private UserDetailsService userDetailsService;
private JwtTokenUtil jwtTokenUtil;
protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain) throws IOException, ServletException {
String header = req.getHeader("Authorization");
String username = null;
String authToken = null;
if (header != null && header.startsWith("Bearer ")) {
authToken = header.replace("Bearer ","");
try {
username = jwtTokenUtil.getUsernameFromToken(authToken);
} catch (IllegalArgumentException e) {
logger.error("an error occured during getting username from token", e);
} catch (ExpiredJwtException e) {
logger.warn("the token is expired and not valid anymore", e);
} catch(SignatureException e){
logger.error("Authentication Failed. Username or Password not valid.");
} else {
logger.warn("couldn't find bearer string, will ignore the header");
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
if (jwtTokenUtil.validateToken(authToken, userDetails)) {
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN")));
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(req));"authenticated user " + username + ", setting security context");
chain.doFilter(req, res);
public class JwtTokenUtil implements Serializable {
static final long EXPIRATIONTIME = 864_000_000; // 10 days
static final String SECRET = "secret";
static final String TOKEN_PREFIX = "Bearer";
static final String HEADER_STRING = "Authorization";
public String getUsernameFromToken(String token) {
return getClaimFromToken(token, Claims::getSubject);
public Date getExpirationDateFromToken(String token) {
return getClaimFromToken(token, Claims::getExpiration);
public <T> T getClaimFromToken(String token, Function<Claims, T> claimsResolver) {
final Claims claims = getAllClaimsFromToken(token);
return claimsResolver.apply(claims);
private Claims getAllClaimsFromToken(String token) {
return Jwts.parser()
private Boolean isTokenExpired(String token) {
final Date expiration = getExpirationDateFromToken(token);
return expiration.before(new Date());
public String generateToken(Utilisateur user) {
return doGenerateToken(user.getLogin());
private String doGenerateToken(String subject) {
Claims claims =;
claims.put("scopes", Arrays.asList(new SimpleGrantedAuthority("ROLE_Administrateur")));
return Jwts.builder()
.setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATIONTIME))
.signWith(SignatureAlgorithm.HS256, SECRET)
public Boolean validateToken(String token, UserDetails userDetails) {
final String username = getUsernameFromToken(token);
return (
&& !isTokenExpired(token));
public class LoginUser {
private String username;
private String password;
public String getUsername() {
return username;
public void setUsername(String username) {
this.username = username;
public String getPassword() {
return password;
public void setPassword(String password) {
this.password = password;
I only posted these 2 classes, because honestly I have 8 configuration classes, it's gonna be a pain to read! And it's custom JWT code too, but if it's necessary to post it all, let me know.
Other than that, I just cannot identify the problem! Spring console doesn't show any errors whatsoever and when I try to request from Postman, here the outcome: result
And when I run the request from the browser, it doesn't say 401, it just says bad credentials even though they're correct and I tried with dozens of users too to make sure
Thank you!
Update: I posted the rest of the classes because the problem might not be related to just these 2
Upvotes: 5
Views: 13238
Reputation: 81
In Spring Security 5, if you are using auth.inMemoryAuthentication()
, you won't be able to use BCryptPasswordEncoder
or StandardPasswordEncoder
. You must use your own UserDetailsService
in order to get a user and password. Or if you need to test your code, just return NoOpPasswordEncoder.getInstance()
in your passwordEncoder()
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private AccountService accountService; //your own implementation of UserDetailsService
public void configure(AuthenticationManagerBuilder auth) throws Exception {
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
@Scope(proxyMode = ScopedProxyMode.TARGET_CLASS)
public class AccountService implements UserDetailsService {
private AccountRepository accountRepository; //Your database repository
private PasswordEncoder passwordEncoder;
protected void initialize() {
save(new Account("user", "demo", "ROLE_USER"));
save(new Account("admin", "admin", "ROLE_ADMIN"));
public Account save(Account account) {
return account;
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Account account = accountRepository.findOneByEmail(username);
if(account == null) {
throw new UsernameNotFoundException("user not found");
return createUser(account);
public void signin(Account account) {
private Authentication authenticate(Account account) {
return new UsernamePasswordAuthenticationToken(createUser(account), null, Collections.singleton(createAuthority(account)));
private User createUser(Account account) {
return new User(account.getEmail(), account.getPassword(), Collections.singleton(createAuthority(account)));
private GrantedAuthority createAuthority(Account account) {
return new SimpleGrantedAuthority(account.getRole());
@Table(name = "account")
public class Account implements {
private Long id;
@Column(unique = true)
private String email;
private String password;
private String role = "ROLE_USER";
private Instant created;
protected Account() {
public Account(String email, String password, String role) { = email;
this.password = password;
this.role = role;
this.created =;
public Long getId() {
return id;
public String getEmail() {
return email;
public void setEmail(String email) { = email;
public String getPassword() {
return password;
public void setPassword(String password) {
this.password = password;
public String getRole() {
return role;
public void setRole(String role) {
this.role = role;
public Instant getCreated() {
return created;
Upvotes: 2
Reputation: 1
You are not using PasswordEncoder
in your globalUserDetails()
method. Spring security by default take encoded password. Your code should be like.
public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception {
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
You are using do not need dataSource
because you are using inMemoryAuthenticatin()
Upvotes: 0