Closed mhussainshah1 closed 4 months ago
Hi.
Have you tried providing an AuthneticationEntryPoint
?
private final MyUserDetailsService myUserDetailsService;
private final AppDefaultAuthenticationFailedEntryPoint appDefaultAuthenticationFailedEntryPoint;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/", "/h2-console/**")
.permitAll()
.requestMatchers("/admin").hasRole("ADMIN")
.anyRequest().authenticated()
)
.formLogin(form -> form
.loginPage("/login")
.failureUrl("/login?error=true")
.permitAll())
.logout(logout -> logout
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout")
.permitAll())
// .httpBasic(Customizer.withDefaults());
.httpBasic(httpBasicConfigurer_ -> {
httpBasicConfigurer_.realmName("SOME-REALM");
httpBasicConfigurer_.authenticationEntryPoint(appDefaultAuthenticationFailedEntryPoint);
})
http
.csrf().disable();
http
.headers().frameOptions().disable();
return http.build();
}
AppDefaultAuthenticationFailedEntryPoint.java
class
@Slf4j
@RequiredArgsConstructor
@Component
public class AppDefaultAuthenticationFailedEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {
HttpStatus status = HttpStatus.UNAUTHORIZED;
log.error("Failed Authentication: {}", authException.getMessage(), authException);
response.setStatus(status.value());
response.sendError(status.value(), "Unauthorized Access");
}
}
Nice Article. However, the method, UserDetails loadUserByUsername
is not allowed to return null; You must return UsernameNotFoundException
.
Hi @mhussainshah1, I believe @sirDarey is correct.
Describe the bug Configuration rules that worked in Spring Security 5 don't work in 6.0.1.
After migrating the security configuration to Spring Security 6.0.1, if we use a bad credentials(username/password) then a browser gets stuck, Hibernate runs a query endlessly and the control does not redirect to the login page. The project uses Spring MVC and ThymeLeaf.
To migrate from Spring Security 5 (Spring Boot 2.1.3.RELEASE) to Spring Security 6.0.1 (Spring Boot 3.0.2) I changed
SecurityConfiguration.java
file fromto
and I changed
SSUserDetailsService.java
file fromto
To Reproduce Steps to reproduce error behavior (springboot_3.0 branch contains an example with Spring Security 6.0.1 (Spring Boot 3.0.2)):
git clone -b springboot_3.0 https://github.com/mhussainshah1/SpringBoot_404.git
cd SpringBoot_404
mvn clean package
mvn spring-boot:run
Open the browser with link http://localhost:8080/
Login with user/password (user is admin, password is password)
Login with bad credential (user is dave, password is begreat)
The browser will stuck and Hibernate query run endlessly until stopped by command
CTRL + C
Expected behavior After putting in bad credentials (username or password) the login page should appear with the following text
Invalid username or password
Steps to reproduce success behavior (main branch contains an example with Spring Security 5 (Spring Boot 2.1.3.RELEASE)):
git clone https://github.com/mhussainshah1/SpringBoot_404.git
cd SpringBoot_404
mvn clean package
mvn spring-boot:run
Open browser with link http://localhost:8080/
Login page will open successfully
Log in with user/password (user is admin, password is password) The home page will open at the link http://localhost:8080/
Login with bad credential (user is dave, password is begreat) It should redirect to Login Page and show as follow
Sample
A link to a GitHub repository with a minimal, reproducible sample. (see springboot_3.0 branch).