Why is spring security not fulfilling its obligations?

P

parkito2016-09-28 03:25:02

Java

parkito, 2016-09-28 03:25:02

Hello. Please help me solve the following problem.
I'm trying to raise spring security
Its configuration

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("customUserDetailsService")
    UserDetailsService userDetailsService;

    @Autowired
    CustomSuccessHandler customSuccessHandler;


    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/admin/*").access("hasRole('Manager')")
                .antMatchers("/user/*").access("hasRole('userAvailable')")
                //.and().formLogin().loginPage("/login")
                .and().formLogin().loginPage("/login").successHandler(customSuccessHandler)
                .usernameParameter("username").passwordParameter("password")
                .and().csrf()
                .and().exceptionHandling().accessDeniedPage("/404");
    }

}

Role division

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("customUserDetailsService")
    UserDetailsService userDetailsService;

    @Autowired
    CustomSuccessHandler customSuccessHandler;


    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/admin/*").access("hasRole('Manager')")
                .antMatchers("/user/*").access("hasRole('userAvailable')")
                //.and().formLogin().loginPage("/login")
                .and().formLogin().loginPage("/login").successHandler(customSuccessHandler)
                .usernameParameter("username").passwordParameter("password")
                .and().csrf()
                .and().exceptionHandling().accessDeniedPage("/404");
    }

}

But when authorizing, it throws me at login?error , and in the servlet

@RequestMapping(value = "/login", method = RequestMethod.GET)
    public String loginPage(HttpServletRequest request, Locale locale, Model model) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        System.out.println(auth.getDetails());
        System.out.println(auth.getPrincipal());
        System.out.println(principal);
        return "index";

I see anonymousUser . What am I doing wrong?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Ruslan Lopatin, 2016-09-28
@lorus

loginPage is the page that Spring Security sends the user to if authentication is required. So it is quite natural that on this page the user is not yet authenticated.
username and password must be sent as a POST request to loginProcessingUrl, which is not set in this configuration.
Well, redirecting to login?error means that authentication in UserDetailsService did not occur. Dig there.

I

Ildar Gafarov, 2016-09-28
@badprogrammist

Everything is correct. You wrote "/login" as the page for authentication, it is natural that there will be anonymousUser, because this method should render the page for authentication.