In the spring boot security application, when we try to login to the page. It redirects back to the login page. It doesn’t matter how many times we log in, it won’t allow us to go to the next page.

In this post, we’re going to see this strange behavior, how to reproduce this issue, and how to fix it.



Symptoms

In the spring boot application, the spring security module is configured in the pom.xml file, and when we try to login, regardless of the user’s credential, it will not allow the application to login. After a successful login, it redirects back to the login page.



Root Cause

In the spring boot application, the security module is redirected to the previous page by default. If you invoke the login page by typing url like “http:/localhost:8080/login,” the login page will be displayed. After a successful login, the user will be redirected to the page from where the user originates. This is nothing but your “http:/localhost:8080/login” login page.

If incorrect user credentials are provided, redirect to the login page by default. The login page will not allow you to proceed to the next page.



How to reproduce this issue

Create a spring boot application with spring security module. Create a login page that shows the login name and password. Customize your spring boot security configuration by extending the WebSecurityConfigurerAdapter class.

Open any browser, type “http:/localhost:8080/login” After providing the correct or incorrect login credential, it will be redirected to the same login page. It will not allow you to proceed to the next page.

login.jsp

<center>
<h1>Welcome to Spring Boot Security</h1>
<form method="POST" action="/login">
	User Name : <input type="text" name="username" value="user"/><br><br>
	Password  : <input type="password" name="password" value="password"/><br><br>
	<input type="submit" name="submit"/>
</form>
</center>

SpringBootSecurityConfiguration.java

package com.yawintutor;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SpringBootSecurityConfiguration extends WebSecurityConfigurerAdapter {
	@Override
	public void configure(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication()
			.withUser("user").password("{noop}password").roles("USER");
	}

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http
			.csrf().disable()
			.authorizeRequests()
			.antMatchers("/**").hasAnyRole("USER")
			.and().formLogin().loginPage("/login")
			.permitAll()
			.and().logout();
	}
}	


Solution 1

The spring boot security module allows you to fix this issue using “defaultSuccessUrl” api. In the spring boot security configuration, add the configuration below. This is going to solve this issue.

.defaultSuccessUrl("/dashboard",false)

If the user enters the “http:/localhost:8080/login” login page, the above api will allow the user to log in with the correct credential and redirect to the configured url “/dashboard”. If this is the case, the second parameter “false” allows the user to redirect to the previous page from where he redirected to the login page..

The code below shows the complete security configuration in spring boot.

SpringBootSecurityConfiguration.java

package com.yawintutor;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SpringBootSecurityConfiguration extends WebSecurityConfigurerAdapter {
	@Override
	public void configure(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication()
			.withUser("user").password("{noop}password").roles("USER");
	}

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http
			.csrf().disable()
			.authorizeRequests()
			.antMatchers("/**").hasAnyRole("USER")
			.and().formLogin().loginPage("/login")
				.defaultSuccessUrl("/dashboard",true)
			.permitAll()
			.and().logout();
	}
}	


Solution 2

If you still have issue in spring boot security, please follow the below steps to fix the issue



Leave a Reply