Reputation: 5175
password reset and thymeleaf redirect
I have a Spring Boot (1.5.6) with Spring Security (4.2) with ThymeLeaf application that allows a user to reset their password. All html pages are in src/resources/templates. The basic flow is:
- user provides username (via resetPage.html)
- credentials are cleared
- token is generated and emailed to username email
- user clicks url from email is redirected to reset password page (changePassword.html) for user to create new password
new password is post'd to service where it is persisted and is handled by this code:
@RequestMapping(value = "/user/savePassword", method = RequestMethod.POST) public String savePassword(Locale locale, @RequestParam("username") String username, @RequestParam("password") String password, Model model) {
// logic goes here ...
"return "login"; }
At this point everything has worked as desired. The db has been updated, no errors in the console log.
The user is prompted to the login page (although the browser bar says "savePassword) to login. The username and new password are provided and the server returns a 403. There is no error in the console, the only indication that something went wrong is the Chrome Developer Tools returning a 403 from the login POST. The default error page is shown.
If I navigate to the home & then login page, I can authenticate with the newly changed credentials.
I do not see where the error is coming from or why. I have tried running via "java -jar" and with the IDE debugger with debug comments turned on. No errors or messages at all are generated. There is no session, the user had not authenticated, so why would a 403 be thrown (assuming via Spring Security)?
Upvotes: 0
Views: 1461
Answers (2)
Reputation: 591
- See your authentication methods and make sure both passwords match in DB or not.
- Make sure when changing new password are you using passwordEncoders?. Because 403 error is Forbidden.
Upvotes: -1
Reputation: 5175
I finally tracked this down. Because the logs were free of any information, I figured it was Spring Security framework doing the work. I updated the security configuration to disable CSRF for the /login page. Now it works as desired.
Upvotes: 0
Related Questions
- Spring thymeleaf security sec:authentication not working
- Spring redirect on POST
- Redirect not working with Thymeleaf in Spring Boot app
- Spring Security 4 - CredentialsExpiredException not redirecting to reset password - XML config
- Redirect to another page using Spring Thymeleaf
- SpringBoot Thymeleaf security authorization
- Thymeleaf Swich with Spring Security
- Is it possible to allow access to a page only through redirection?
- Thymeleaf: Login user via sign up page instead of /login
- Why my thymeleaf redirect not work?