/j_spring_security_check HTTP error 404

StackOverflow https://stackoverflow.com/questions/21342788

Question

It looks like some filter not added. I use Spring security 3.2.0.RELEASE with java-config. Full project posted on GitHub SecurityConfig.java is here: SecurityConfig.java

I try to set up filter in:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/app/**").hasRole("ADMIN")
                .and()
                .formLogin()
                .loginPage("/")
                .defaultSuccessUrl("/app/")
                .failureUrl("/?error=1")
                .permitAll()
                .and()
                .logout()
                .logoutSuccessUrl("/?logout");
    }

After csrf().disable() - But problem not solved... Help me please to solve this problem for I can use /j_spring_security_check with my own CustomUserDetailsService!

Was it helpful?

Solution

I have no experience with Spring Security Java Config, but I checked your code and the API and it seems that setting login processing URL will let you login:

AbstractAuthenticationFilterConfigurer.loginProcessingUrl("/j_spring_security_check")

So your code should be:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/app/**").hasRole("ADMIN")
            .and()
            .formLogin()
            .loginProcessingUrl("/j_spring_security_check")
            .loginPage("/")
            .defaultSuccessUrl("/app/")
            .failureUrl("/?error=1")
            .permitAll()
            .and()
            .logout()
            .logoutSuccessUrl("/?logout");
}

I would expect this is set by default.

In addition, to make use of MyCustomUserDetailsService, instead of autowiring it as it is now (Proxy created by Spring), I would configure it manually:

public class MyCustomUserDetailsService implements UserDetailsService {

    private UserDAO userDAO;

    public MyCustomUserDetailsService(UserDAO userDAO) {
        this.userDAO = userDAO;
    }
    // ...    
}

Notice, no @Service/@Component annotations and DAO injected via Ctor. In security config:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Autowired
    private UserDAO userDAO;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication()
                .dataSource(dataSource)
                .and()
                .userDetailsService(new MyCustomUserDetailsService(userDAO));
    }
    // ...
}

Now I am sure, the UserDetailService is properly configured. And for sure it will be used while logging in in the application.

I also noticed that the username and password is not used. This is because in login.jsp you use j_username and j_password whereas username parameter should be username and password parameter should be password.

<input type="text" id="username" class="span4" name="username" placeholder="Username" />
<input type="password" id="password" class="span4" name="password" placeholder="Password" />

Look at the FormLoginConfigurer class.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top