3

I am new in Spring boot, I have a small application use Spring Boot and Spring Security. After successful login, the page redirect to /login again. I don't know how to fix it.

After Successful login:

enter image description here

This is Security config:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/", "/login").permitAll()//设置SpringSecurity对"/"和"/login"路径不拦截
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginPage("/login")//设置Spring Security的登录页面访问路径为/login
                .defaultSuccessUrl("/chat")//登录成功后转向/chat路径
                .permitAll()
                .and()
                .logout()
                .permitAll();


    }

    /**
     * 在内存中分别配置两个用户xin.luo和king.luo,密码和用户名一致,角色是USER
     * @param auth
     * @throws Exception
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("xin").password("xin").roles("USER")
                .and()
                .withUser("king").password("king").roles("USER");
    }

    /**
     * /resources/static/目录下的静态资源文件,Spring Security不拦截
     * @param web
     * @throws Exception
     */
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/static/**");
    }
}
Vega
  • 27,856
  • 27
  • 95
  • 103
Xin_Law
  • 33
  • 3
  • 1
    What do you have on the client side ? And do you know for sure if the authentication was successful ? – br.julien Nov 01 '17 at 18:36
  • Here is my login page, I think the authentication was successful. But the page redirect to /login again after it redirect from /login to /chat, just like the diagram above.
    无效账号和密码
    你已注销
    – Xin_Law Nov 02 '17 at 01:29

2 Answers2

0

What behaviour do you need? Basically, there are two choices: redirect to some static static, well-known location, like /index, or to redirect to the originally requested page. Both require configuring AuthenticationSuccessHandler. You can also use / extend one of the existing auth handlers to accomplish some basic tasks. E.g, note how SimpleUrlAuthenticationSuccessHandler can be used to redirect to the originally requested page:

XML Secutiry config:

<http use-expressions="true">
    <intercept-url pattern="/login*" access="permitAll"/>
    <intercept-url pattern="/**" access="isAuthenticated()"/>

    <form-login
        ...
        authentication-success-handler-ref="authenticationSuccessHandler"

        authentication-success-handler-ref="refererAuthenticationSuccessHandler"
        ...
        />

    <logout/>
</http>

<!-- Route users to their profiles and admins to the admin console: -->
<beans:bean id="authenticationSuccessHandler" class="a.b.c.AuthenticationSuccessHandler"/>

<!-- Route to the originally requested page -->
<beans:bean id="refererAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    <property name="useReferer" value="true"/>
</beans:bean>

Example AuthenticationSuccessHandler:

public class AuthenticationSuccessHandler implements AuthenticationSuccessHandler {
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException {
        // Very simple (most probably broken) check if the user is ADMIN or USER
        if (authentication.getAuthorities().stream().filter(a -> a.getAuthority().equals("USER")).findAny() != null){
            redirectStrategy.sendRedirect(request, response, "/profile.html");
        } else {
            redirectStrategy.sendRedirect(request, response, "/admin.html");
        }

        clearAuthenticationAttributes(request);
    }
}
madhead
  • 31,729
  • 16
  • 153
  • 201
  • Thank you for your help. On this application, I want to redirect page from /login to /chat after successful login. I set a default successful url at WebSecurityConfig.java but the page redirect to /chat then redirect to /login again, just like the diagram above. – Xin_Law Nov 02 '17 at 01:25
0

There could be another possibility. The cookie was not set, and the following requests sent were all treated as the first request without a session ID.

If you were using google chrome, and tested the application in your local machine using the localhost address, the cookie might not be set. you can see more details here: Chrome localhost cookie not being set

You can try 127.0.0.1 instead to test.

bob tang
  • 583
  • 3
  • 12