Spring-security shows "Bad Credentials" even before submitting a form

Question

Spring-security shows "Bad Credentials" even before submitting a form

I have code for spring security, but it does not work. When I open the login page and enter the username / password admin@myproject.com / secret, the following error message will be displayed. After entering the username / password after adding to the address ?error=1 , even if I delete it manually and refresh the page message, it will not disappear. Nothing is displayed in the console.

 Your login attempt was not successful due to Bad credentials.

spring -security.xml

 <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <beans:import resource='login-service.xml' /> <http auto-config="true" access-denied-page="/notFound.jsp" use-expressions="true"> <intercept-url pattern="/" access="permitAll" /> <intercept-url pattern="/member**" access="hasRole('ROLE_MEMBER')" /> <form-login login-page="/signin" default-target-url="/index" authentication-failure-url="/signin?error=1" /> <logout logout-success-url="/login?logout" /> <csrf /> </http> <authentication-manager> <authentication-provider> <user-service> <user name=" admin@myproject.com " password="secret" authorities="ROLE_ADMIN"/> <user name=" user@yahoo.com " password="secret" authorities="ROLE_USER"/> </user-service> </authentication-provider> </authentication-manager> </beans:beans>

The form has the following code, it seems that SPRING_SECURITY_LAST_EXCEPTION not empty even before submitting the form.

 <c:if test="${not empty SPRING_SECURITY_LAST_EXCEPTION}"> <font color="red"> Your login attempt was not successful due to <br /> <br /> <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />. </font> </c:if> <form id="form-login" role="form" method="post" action="<c:url value='/j_spring_security_check' />" class="relative form form-default"> <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />

I'm not sure why, but the same code returns the following error

 Your login attempt was not successful due to Authentication method not supported: GET.

+7

java spring spring-security

Daniel Newtown Dec 12 '15 at 9:26

source share

4 answers

Ralph · Answer 1 · 2015-12-12T09:41:23+0000

You need to allow everyone access to your page /signin , even if it is not authenticated.

 <intercept-url pattern="/signin" access="permitAll" />

I wrote this answer before the question was changed the first time the question was (this is still the name): "Spring-security shows" Bad Credentials "even before submitting the form"

tharindu_DG · Answer 2 · 2015-12-15T09:37:16+0000

 <intercept-url pattern="/member**" access="hasRole('ROLE_MEMBER')" /> <user name=" user@yahoo.com " password="secret" authorities="ROLE_USER"/>

More configurations have two different role names ROLE_MEMBER and ROLE_USER

UPDATE

Since Authentication method not supported: GET , try to enable GET .

 <bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" p:postOnly="false" />

And the following change is also required in web.xml

 <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>

Hope this helps

holmis83 · Answer 3 · 2015-12-16T07:43:45+0000

SPRING_SECURITY_LAST_EXCEPTION remains in the session, even if you refresh the page. You need to check the error parameter:

 <c:if test="${(not empty param.error) && (not empty SPRING_SECURITY_LAST_EXCEPTION)}">

m.aibin · Answer 4 · 2015-12-19T02:49:30+0000

I assume that your login controller method does redirect or forward and then tries to send an HTTP GET request to the HTTP GET URL with username and password as request parameters. It is generally considered improper practice to send credentials as URL parameters, and why this is prohibited. Instead, send an HTTP POST . If you want to stay with GET , you can bypass the check using the request wrapper, which returns an HTTP POST instead of an HTTP GET for getMethod .

The updated answer from @tharingu_DG should work, but it is still technically equivalent to sending unencrypted credentials, since anyone who stole it can use it for authentication.

Spring-security shows "Bad Credentials" even before submitting a form

More articles: