Spring Security/Java config - Can not login with existing user

0
votes

I'm learning Spring Security at creating simple login form. I'm using java configuration. I've in-memory users and a simple filter chain.

But when I input an existing username and password combination Spring redirect me back to login form with url: login?error.

This is my Spring Security configuration class:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

//    @Autowired
//    AuthProvider provider;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user1").password("").roles("USER")
                .and()
                .withUser("user2").password("").roles("USER")
                .and()
                .withUser("admin").password("1").roles("ADMIN");
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf()
                    .disable()
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .permitAll();

    }


//    @Override
//    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//        auth.authenticationProvider(provider);
//    }
}

This is my JSP form:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<body>
${message}
<br>
<form method="post" action="/login">
    <input type="text" name="login"/>
    <input type="text" name="pass"/>
    <input type="submit" value="enter"/>
</form>
</body>
</html>
4
javaspringspring-security

4 Answers

1
votes

in your code 

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user1").password("").roles("USER")
                .and()
                .withUser("user2").password("").roles("USER")
                .and()
                .withUser("admin").password("1").roles("ADMIN");
}

replace the @Autowired with @Override

and follow this practice here [1]: https://www.baeldung.com/spring-security-login

... auth.inMemoryAuthentication()
      .withUser("user1").password(passwordEncoder().encode("user1Pass")).roles("USER")
      .and() ...

using BCryptPasswordEncoder as follows as a bean in same code

    @Bean
        public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
0
votes

Take a look at formLogin(String loginPage) javadoc - default parameters for username and password are username and password. So you should reference them like that in your .jsp and then the login should work. So you should try refactoring jsp to following:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<body>
${message}
<br>
<form method="post" action="/login">
    <input type="text" id="username" name="username"/>
    <input type="password" id="password" name="password"/>
    <input type="submit" value="enter"/>
</form>
</body>
</html>
0
votes

For admin user, try with:

.withUser("admin").password("{noop}1").roles("ADMIN");

This is a way to store passwords in a plain text (obviously a not recommended way...). By adding {noop} prefix, you indicate you want to use NoopPasswordEncoder.

Otherwise, you should specify password encoder, for example:

@Bean
public BCryptPasswordEncoder passEncoder() {
  return new BCryptPasswordEncoder();
}

and update your SecurityConfig like:

@Autowired
private BCryptPasswordEncoder passEncoder;

@Override
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .passwordEncoder(passEncoder)
                .withUser("user1").password("").roles("USER")
                .and()
                .withUser("user2").password("").roles("USER")
                .and()
                .withUser("admin").password("1").roles("ADMIN");
}
0
votes

I had all three error in my code, described above. I acceped all three solutions and it works for me. Thank you!

Worked code:

My SecurityConfig:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {


    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user1").password(passwordEncoder().encode("1")).roles("USER")
                .and()
                .withUser("user2").password(passwordEncoder().encode("1")).roles("USER")
                .and()
                .withUser("admin").password(passwordEncoder().encode("1")).roles("ADMIN");


    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf()
                    .disable()
                .authorizeRequests()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/login")
                        .usernameParameter("login")
                        .passwordParameter("pass")
                    .permitAll();

    }

}

My jsp form:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<body>
${message}
<br>
<form method="post" action="/login">
    <input type="text" name="login"/>
    <input type="text" name="pass"/>
    <input type="submit" value="enter"/>
</form>
</body>
</html>