0

I am trying to complete a login system but when I log in, I get the following error

  • "HTTP Error 404 CANNOT FIND "http://localhost:8181/user_login"

I know this obviously means cannot find it, but I'm confused on why it can't find it. Here is my security config

@EnableWebSecurity
@Configuration
@Order(2)
public class UserSecurityConfig extends WebSecurityConfigurerAdapter {

protected void user(HttpSecurity http) throws Exception {
         http.authorizeRequests()
            .and()
                .formLogin()
                .loginPage("/user_login")
                .defaultSuccessUrl("/success")
                .failureUrl("/login?error==true")
                .permitAll()
            .and()
                .csrf()
                .disable()

            ;
}        
    @Bean
    public UserDetailsService userDetailsService() {
        return new CustomUserDetailsService();
    }
    @Autowired
    public void configurationGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService()).passwordEncoder(passwordEncoder());
    }
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
   }

And the login form

<form:form name='user' action="/user_login" method='POST'>

             <form:errors path="username" />
    
      <label for="username">Email address</label>
            <input type='text' class="form-control" name='username' value='' placeholder="Enter Email address"></td>
            <label for="password">Password: </label>
            <input type='password' class="form-control" name='password' /></td>
       
        
<input name="submit" class="btn btn-primary" type="submit" value="submit" /></td>
        

</form:form>

Here is my other security for Admin that works

@EnableWebSecurity
@Configuration
@Order(1)
public class AdminSecurityConfig extends WebSecurityConfigurerAdapter {
 @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
        .withUser("admin").password("12345").roles("ADMIN")
        .and()
        .withUser("tester").password("56789").roles("ADMIN");
        
    }
 
@Override
protected void configure(HttpSecurity http) throws Exception {
         http.authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/login")
            .permitAll()
                .antMatchers("/newUser")
                .permitAll()
                .antMatchers("/admin")
                .hasAnyRole("ADMIN")
            .and()
            .formLogin()
            .loginPage("/login1")
            .defaultSuccessUrl("/admin")
            .failureUrl("/login?error=true")
            .permitAll()
                .and()
                .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/")
                .deleteCookies("JSESSIONID")
                .invalidateHttpSession(true) 
            .and()
                .csrf()
                .disable()

            ;
}

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

If anyone has any idea or tips to solve this issue I would be very grateful. Thank you Jim

Improve this question

1 Answer 1

Reset to default
1

The main issue is incorrect way for defining spring-security configuration, when you use WebSecurityConfigurerAdapter you should use method overrides for definening custom settings, because spring doesn't know how to find that method:

protected void user(HttpSecurity http) throws Exception {
         http.authorizeRequests()
            .and()
                .formLogin()
                .loginPage("/user_login")
                .defaultSuccessUrl("/success")
                .failureUrl("/login?error==true")
                .permitAll()
            .and()
                .csrf()
                .disable()

            ;
}

Цorking versionЖ

@Configuration
@EnableWebSecurity
public class UserSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .and()
                .formLogin()
                .loginPage("/user_login")
                .defaultSuccessUrl("/success")
                .failureUrl("/login?error==true")
                .permitAll()
                .and()
                .csrf().disable();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        return new CustomUserDetailsService();
    }

    @Override
    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService())
                .passwordEncoder(passwordEncoder());
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

United version: I am using spring-security 5.4.2

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/login").permitAll()
                .antMatchers("/newUser").permitAll()
                .antMatchers("/admin").hasAnyRole("ADMIN")
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .failureUrl("/login?error==true")
                .successHandler((httpServletRequest, httpServletResponse, authentication) -> {
                    Set<String> roles = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
                    if (roles.contains("ROLE_ADMIN")) {
                        httpServletResponse.sendRedirect("/admin");
                    } else {
                        httpServletResponse.sendRedirect("/success");
                    }
                })
                .permitAll()
                .and()
                    .logout()
                    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                    .logoutSuccessUrl("/")
                    .deleteCookies("JSESSIONID")
                    .invalidateHttpSession(true)
                .and()
                .csrf().disable();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password("{noop}password").roles("USER")
                .and()
                .withUser("admin").password("{noop}12345").roles("ADMIN")
                .and()
                .withUser("tester").password("{noop}56789").roles("ADMIN");
    }

}

I tested login possibilities, and all works, of course we cannot support two different defaultSuccessUrl, because http mapping(HttpSecurity) is single instance, and which config will be loaded first, that defaultSuccessUrl will be used for login form. I omit loginPage config, and I don't think, that we can support both login pages, the same like for defaultSuccessUrl config.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thank you for your response, I'm afraid that still isn't working. I have order as I have an @Order(1) for my admin login that works fine. I'll add that to the question to stop confusion. Have you got any other ideas on what I can do to fix it?
I think, you should unite two security configs in single class, because I expect collision of two WebSecurityConfigurerAdapter typed classes
I updated answer, please check common config, does it suit you?
Thank you for your help, the answer works perfectly
I'm glad that it turned out!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.