0

My security configuration is as following:

@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
    auth.jdbcAuthentication().dataSource(dataSource)
    .usersByUsernameQuery("select username, password, activated from Person where username=?")
    .authoritiesByUsernameQuery("select person.username, personrole.roleName from person, personrole, personandroles where person.username=? and personandroles.personid=person.personId and personrole.roleid=personandroles.roleid");
}



@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .authorizeRequests()
    .antMatchers("/empl").access("hasRole('employee')") 
    .antMatchers("/", "/index" , "/loginform", "/registerform","/approvelogin") .permitAll()        
    .anyRequest().authenticated()
        .and()
    .formLogin().loginPage("/loginform")
    .loginProcessingUrl("/approvelogin")
    .usernameParameter("username")
    .passwordParameter("password")
    .and()
     .httpBasic().disable()
    .and()
    .exceptionHandling().accessDeniedPage("/403");      
}

Where /approvelogin is the name of my login-controller. This controller expects a Modelattribute 'Person' and a request parameter 'role' (user may select a role as which to log in)

On the loginform I have this:

<form:form action="approvelogin" modelAttribute="userBean" method="POST">
        <table>
           <tr>
                <td><label><b>Benutzername:</b></label>
                    <form:input type="text"  path="username" required="true"/>
                </td>       
            </tr>

            <tr>
                <td><label><b>Kennwort</b></label>
                    <form:input type="password" path="password" required="true">
                </td>
            <td>
            <c:if test="${!empty roles}">
                <select name="role">
                    <c:forEach var="r" items="${roles}">
                        <option value='${r.roleName}'>${r.roleName}</option>
                    </c:forEach>                        
                </select>
            </c:if>
            </td>
                <td> <input type="submit" value="Login"/>
                </td>
            </tr>
        </table>    
  </form:form>

When I call /empl in the browser I am beeing redirected to loginform as expected. But after editing the correct user credencials I arrive on my 403.jsp.

Setting a breakpoint on the method successfullAuthentication(request, response, chain, authResult) of the class AuthenticationProcessingFilter shows that the 'authorities' collection is filled with the correct role 'employee'. So I assume something else prevent my login controller from beeing entered at all.

The login controller:

@RequestMapping(value="/approvelogin", method=RequestMethod.POST)
public String login(@ModelAttribute("userBean") Person user,  @RequestParam(value="role") String role,  Model model){

if( user.getUsername().isEmpty() || user.getPassword().isEmpty() ){
        model.addAttribute("error", "Please enter your username and password");
   return "loginform";
}

else {
        Person p = personDao.getPerson(user.getUsername(), user.getPassword());
        if ( p == null) {
             model.addAttribute("error", "Invalid Details, try again:");
             return "loginform";                 
        }
        else{
            String view="welcome";
            model.addAttribute("loggedperson", p);
            for( PersonRole r: p.getRoles() ){
                if(r.getRoleName().equals(role)) {
                    view= role +"View";
                    break; 
                }
            }
            return view;
        }
    }
}



@RequestMapping(value="/empl")
public String employeeView(){
    return "employeeView";
}
saab
  • 129
  • 1
  • 3
  • 16
  • you have to add `.httpBasic().disable();` to the config. ref: http://stackoverflow.com/a/25740336/3981536 – Jos Jan 19 '17 at 20:40
  • Now I disabled it but nothing changed. Even on the Index.jsp, i.e. from a not protected page, after editing username and password and pushing submit I am not redirected into my custom login controller. – saab Jan 19 '17 at 21:34

2 Answers2

0

Your login controller will return String with role+View, are you sure that you have view with this name? I think you want to redirect user after login to /empl.

wpater
  • 393
  • 3
  • 14
  • if the code entered the controller and did not find the resource (e.g. empl.jsp) then I would have gotten the error: resource not available. The major problem however is that I even don't arrive in the first line of code in the '/approvelogin' controller. – saab Jan 20 '17 at 06:33
  • I added the '/empl' controller above to be more clear; – saab Jan 20 '17 at 08:22
  • Anybody any idea to help me please? – saab Jan 22 '17 at 23:35
0

Finally I found a solution. Instead of setting the 

.loginProcessingUrl("/approvelogin")

I have to set the

 .defaultSuccessUrl("/approvelogin")

Clearly after spring has done the authentication and has athorised the user to go on I am able to get to my custom login controller in order to redirect the user to the desired view (according to his role and request).

saab
  • 129
  • 1
  • 3
  • 16