java - Spring Security not using custom UserDetaisService -

i using spring security 4.2.5 , trying set simple login page using 'username' , 'password' have user login. right now, not worried whether comes in via http, or https. change setting later on. trying spring security see username/password, call userdetailsservice class, authenticate request, , redirect browser 'index.html'. problem having keep getting access denied. turned on debug logging , noticed custom userdetalsservice not being called user data. missing spring security call adminuserservice? can provide logging statements if need be.

<body>      <div>         <div>             <h2>login</h2>         </div>     </div>      <form action="/admin/login" method="post">         login:<br>         <input type="text" name="username">         <br>         password:<br>         <input type="text" name="password">         <br><br>         <input type="submit" value="submit">     </form>  </body>

my applicationcontext.xml file looks like

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:security="http://www.springframework.org/schema/security" xmlns:util="http://www.springframework.org/schema/util" xsi:schemalocation="     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd     http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.2.xsd">  <import resource="classpath:my-admin-context.xml" />  <bean id="adminuserservice" class="....adminuserservice">     <property name="usermapper" ref="usermapper" />     <property name="userrolemapper" ref="userrolemapper" /> </bean>  <bean id="adminauthenticationsuccesshandler" class="org.springframework.security.web.authentication.simpleurlauthenticationsuccesshandler">     <property name="defaulttargeturl" value="/index.html" />     <property name="alwaysusedefaulttargeturl" value="true" />     <property name="usereferer" value="true" /> </bean>  <security:http>      <security:intercept-url pattern="/login.html*" access="is_authenticated_anonymously" requires-channel="any" />      <security:intercept-url pattern="/**" access="role_admin" requires-channel="any" />      <security:form-login login-page="/login.html" authentication-success-handler-ref="adminauthenticationsuccesshandler" />     <security:logout logout-url="/logout" invalidate-session="true" delete-cookies="jsessionid" logout-success-url="/login.html" />  </security:http>  <security:authentication-manager>     <security:authentication-provider user-service-ref="adminuserservice">         <security:password-encoder hash="sha" />     </security:authentication-provider> </security:authentication-manager>

the adminuserserivce looks like

public class adminuserservice implements userdetailsservice {  private final logger logger = loggerfactory.getlogger(getclass());  private usermapper usermapper;  private userrolemapper userrolemapper;  public usermapper getusermapper() {      return usermapper; }  @required public void setusermapper(final usermapper usermapper) {      this.usermapper = usermapper; }  public userrolemapper getuserrolemapper() {      return userrolemapper; }  @required public void setuserrolemapper(final userrolemapper userrolemapper) {      this.userrolemapper = userrolemapper; }  @override public userdetails loaduserbyusername(final string username) throws usernamenotfoundexception {      logger.debug("looking user: {}", username);      final userdo userdo = usermapper.finduserbylogin(username);     user user = null;      if (userdo == null) {         logger.warn("user not exist: {}", username);          user = new user(username, null, false, false, false, false, new arraylist<grantedauthority>());     } else if (stringutils.equals(userdo.getstatus(), etpadminconstants.inactive)) {         logger.warn("user inactive: {}", username);         logger.info("user do: {}", userdo);          user = new user(username, null, false, false, false, false, new arraylist<grantedauthority>());     } else {         final list<grantedauthority> authorities = getauthorities(userdo);          logger.debug("granted authorities: {}", authorities);          user = new user(username, userdo.getpassword(), authorities);     }      return user; }  list<grantedauthority> getauthorities(final userdo userdo) {      final list<userrole> userrolelist = userrolemapper.findrolemapping(userdo.getid());      logger.debug("found roles: {}", userrolelist);      final list<grantedauthority> authorities = new arraylist<>();      userrolelist.foreach(userrole -> authorities.add(new simplegrantedauthority(userrole.getrolename())));      return authorities; }

}

here logging information

[o.a.c.a.authenticatorbase] security checking request post /admin/login [o.a.c.a.authenticatorbase] not subject constraint [o.s.s.w.u.m.antpathrequestmatcher] checking match of request : '/login'; against '/login.htm*' [o.s.s.w.filterchainproxy] /login @ position 1 of 11 in additional filter chain; firing filter: 'channelprocessingfilter' [o.s.s.w.u.m.antpathrequestmatcher] request '/login' matched universal pattern '/**' [o.s.s.w.a.c.channelprocessingfilter] request: filterinvocation: url: /login; configattributes: [any_channel] [o.s.s.w.filterchainproxy] /login @ position 2 of 11 in additional filter chain; firing filter: 'securitycontextpersistencefilter' [o.s.s.w.c.httpsessionsecuritycontextrepository] httpsession returned null object spring_security_context [o.s.s.w.c.httpsessionsecuritycontextrepository] no securitycontext available httpsession: org.apache.catalina.session.standardsessionfacade@7a1cf085. new 1 created. [o.s.s.w.filterchainproxy] /login @ position 3 of 11 in additional filter chain; firing filter: 'webasyncmanagerintegrationfilter' [o.s.s.w.filterchainproxy] /login @ position 4 of 11 in additional filter chain; firing filter: 'logoutfilter' [o.s.s.w.filterchainproxy] /login @ position 5 of 11 in additional filter chain; firing filter: 'usernamepasswordauthenticationfilter' [o.s.s.w.filterchainproxy] /login @ position 6 of 11 in additional filter chain; firing filter: 'requestcacheawarefilter' [o.s.s.w.s.defaultsavedrequest] pathinfo: both null (property equals) [o.s.s.w.s.defaultsavedrequest] querystring: both null (property equals) [o.s.s.w.s.defaultsavedrequest] requesturi: arg1=/admin/login; arg2=/admin/login (property equals) [o.s.s.w.s.defaultsavedrequest] serverport: arg1=8080; arg2=8080 (property equals) [o.s.s.w.s.defaultsavedrequest] requesturl: arg1=http://localhost:8080/admin/login; arg2=http://localhost:8080/admin/login (property equals) [o.s.s.w.s.defaultsavedrequest] scheme: arg1=http; arg2=http (property equals) [o.s.s.w.s.defaultsavedrequest] servername: arg1=localhost; arg2=localhost (property equals) [o.s.s.w.s.defaultsavedrequest] contextpath: arg1=/admin; arg2=/admin (property equals) [o.s.s.w.s.defaultsavedrequest] servletpath: arg1=/login; arg2=/login (property equals) [o.s.s.w.s.httpsessionrequestcache] [http-nio-8080-exec-5]: removing defaultsavedrequest session if present [o.s.s.w.filterchainproxy] /login @ position 7 of 11 in additional filter chain; firing filter: 'securitycontextholderawarerequestfilter' [o.s.s.w.filterchainproxy] /login @ position 8 of 11 in additional filter chain; firing filter: 'anonymousauthenticationfilter' [o.s.s.w.a.anonymousauthenticationfilter] populated securitycontextholder anonymous token: 'org.springframework.security.authentication.anonymousauthenticationtoken@90576bf4: principal: anonymoususer; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@21a2c: remoteipaddress: 0:0:0:0:0:0:0:1; sessionid: fbb14a73ffea49ff371de7e74dbcbf31; granted authorities: role_anonymous' [o.s.s.w.filterchainproxy] /login @ position 9 of 11 in additional filter chain; firing filter: 'sessionmanagementfilter' [o.s.s.w.filterchainproxy] /login @ position 10 of 11 in additional filter chain; firing filter: 'exceptiontranslationfilter' [o.s.s.w.filterchainproxy] /login @ position 11 of 11 in additional filter chain; firing filter: 'filtersecurityinterceptor' [o.s.s.w.a.i.filtersecurityinterceptor] secure object: filterinvocation: url: /login; attributes: [role_admin] [o.s.s.w.a.i.filtersecurityinterceptor] authenticated: org.springframework.security.authentication.anonymousauthenticationtoken@90576bf4: principal: anonymoususer; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@21a2c: remoteipaddress: 0:0:0:0:0:0:0:1; sessionid: fbb14a73ffea49ff371de7e74dbcbf31; granted authorities: role_anonymous [o.s.s.a.v.affirmativebased] voter: org.springframework.security.access.vote.rolevoter@5b444231, returned: -1 [o.s.s.a.v.affirmativebased] voter: org.springframework.security.access.vote.authenticatedvoter@52a53135, returned: 0 [o.s.b.f.s.defaultlistablebeanfactory] returning cached instance of singleton bean 'sqlsessionfactory' [o.s.s.w.a.exceptiontranslationfilter] access denied (user anonymous); redirecting authentication entry point [o.s.s.w.s.httpsessionrequestcache] defaultsavedrequest added session: defaultsavedrequest[http://localhost:8080/admin/login] [o.s.s.w.a.exceptiontranslationfilter] calling authentication entry point. [o.s.s.w.defaultredirectstrategy] redirecting 'http://localhost:8080/admin/login.html' [o.s.s.w.c.httpsessionsecuritycontextrepository] securitycontext empty or contents anonymous - context not stored in httpsession. [o.s.s.w.c.securitycontextpersistencefilter] securitycontextholder cleared, request processing completed

i figured out. @vikas, little bit of information got me in right direction. thanks! had wrong configuration. @ bottom of answer configuration had go with. notice couple of things:

create separate <http> login.html page.
you must specify following parameters on <form-login>
- login-processing-url
- username-parameter
- password-parameter

spring security not find '/login'. must specify parameter, contrary documentation says.

"the login form contains username , password input fields, , posts url monitored filter (by default /login)." -- form login filter

also, spring security not find default 'username' , 'password, contrary documentation.

"login forms must present 2 parameters filter: username , password. default parameter names use contained in static fields spring_security_form_username_key , spring_security_form_password_key. parameter names can changed setting usernameparameter , passwordparameter properties." -- usernamepasswordauthenticationfilter

code snippet usernamepasswordauthenticationfilter class.

public static final string spring_security_form_username_key = "username"; public static final string spring_security_form_password_key = "password";

you must specify these 3 parameters in configuration.

<security:http pattern="/login.htm*" security="none" />      <security:http>          <security:intercept-url pattern="/**" access="role_admin" requires-channel="any" />          <security:form-login login-page="/login.html" login-processing-url="/login" authentication-success-handler-ref="adminauthenticationsuccesshandler" username-parameter="username" password-parameter="password"/>          <security:logout logout-url="/logout" invalidate-session="true" delete-cookies="jsessionid" logout-success-url="/login.html" />      </security:http>

Search This Blog

Single

java - Spring Security not using custom UserDetaisService -

Comments

Post a Comment

Popular posts from this blog

angular - Ionic slides - dynamically add slides before and after -

Add a dynamic header in angular 2 http provider -

minify - Minimizing css files -