I have been working on a 100% JavaConfig version of a custom form authentication Spring MVC application. Most examples use XML configuration, but I know I wanted to implement a solution without any XML.
I have investigated several examples, but here is my initial configuration that does work:
@Override protected void configure(final HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/", "/index").permitAll() .antMatchers("/customers/*").access("hasRole('USER')") .antMatchers("/managers/*").access("hasRole('ADMIN') and hasRole('DBA')") .and().formLogin().defaultSuccessUrl("/") .and().anonymous() .and().rememberMe() .and().logout().logoutSuccessUrl("/") .and().csrf() .and().exceptionHandling().accessDeniedPage("/Access_Denied.html"); http.sessionManagement() .maximumSessions(1) .expiredUrl("/expired.html") .sessionRegistry(sessionRegistry()); }
I wanted to use a custom login form, so I added this configuration:
.and().formLogin() .loginPage("/login.jsp") .permitAll()
Then I added this login.jsp
<form name='f' action="<c:url value='/j_spring_security_check' />" method='POST'> <table> <tr> <td>User:</td> <td><input type='text' name='j_username' value=''> </td> </tr> <tr> <td>Password:</td> <td><input type='password' name='j_password' /> </td> </tr> <tr> <td colspan='2'><input name="submit" type="submit" value="submit" /> </td> </tr> <tr> <td colspan='2'><input name="reset" type="reset" /> </td> </tr> </table> <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> </form>
Now I did test with both /login and /j_security_check as the action.
When using /login, I get an “HTTP 404 Page Not Found” exception, and when I use /j_security_check action, I get a “HTTP Status 405 – Request method ‘POST’ not supported” exception.
I ran across several incidents where using the XML configuration leads to the same error:
But this did not help my specific error.
Here is my updated configuration that finally worked:
.and().formLogin() .loginPage("/login.jsp") .loginProcessingUrl("/j_spring_security_check") .usernameParameter("j_username") .passwordParameter("j_password") .permitAll()
I can only surmise, that with the JavaConfig for Spring Security, there are several configuration attributes that are set for the default .formLogin(), and unless you explicitly set these attributes, the login.jsp will not execute the correct action.
Hope this helps…
Recent Comments