I use Angular in the frontend and handle security with spring security in the backend.
However, Spring sec does not authenticate user. For both valid and not valid credential it's behavior is same. I want to catch "bad credential" for invalid user or password and user data for valid credential. What is my problem and how can I handle that? Thank you
spring security config
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public JdbcUserDetailsManager userDetailsManager(AuthenticationManager authenticationManager, DataSource dataSource) {
JdbcUserDetailsManager userDetailsService = new JdbcUserDetailsManager();
userDetailsService.setDataSource(dataSource);
userDetailsService.setAuthenticationManager(authenticationManager);
return userDetailsService;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource).passwordEncoder(passwordEncoder());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/webjars/**", "/resources/**", "/js/**", "/public/**");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/login").permitAll().and()
.authorizeRequests().antMatchers("/index").permitAll().and()
.authorizeRequests().anyRequest().hasRole("USER").and()
.exceptionHandling()
.accessDeniedPage("/index?authorization_error=true")
.and()
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize")).disable()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.logout()
.logoutSuccessUrl("/index")
.logoutUrl("/logout.do")
.and()
.formLogin()
.usernameParameter("j_username")
.passwordParameter("j_password")
.failureUrl("/index?authentication_error=true")
.loginPage("/index")
.loginProcessingUrl("/j_security_check")
.and()
.sessionManagement().maximumSessions(1);
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
Angular controller:
var loginService = function () {
var deferred = $q.defer();
$http.post(contextPath + '/j_security_check', {j_username: $scope.credentials.j_username, j_password: $scope.credentials.j_password}).
success(function (data) {
deferred.resolve(data);
}).
error(function (data, status, header, config) {
$log.warn(data, status, header(), config);
deferred.reject(status);
});
return deferred.promise;
};
$scope.login = function () {
loginService().then(function (result) {
console.log(result);
$state.go('dashboard');
}, function (result) {
switch (result) {
case 401:
$scope.message = "Error " + result + ": username or password is not correct";
break;
case 403:
$scope.message = "Error " + result + ": username or password is not correct";
break;
default :
$scope.message = "Error " + result + " :unknown error";
}
})
};
Thank you
