Announcement Announcement Module
No announcement yet.
Getting Bad credentials error messages when using form-login and UserDetailsService Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Getting Bad credentials error messages when using form-login and UserDetailsService


    I am getting an error saying

    Login failed, try again.
    Reason: Bad credentials
    when I try to login to my web application.

    My project is a Roo project so there are some aspectj files and other configuration files that I don't want to post out just to avoid confusion and save space.

    After I press submit button to login it redirects me to the "/login?login_error=t" which is the authentication-failure-url specified in the form-login element and shows the bad credentials error.

    Here is the configuration:


    <http auto-config="true" use-expressions="true">
            <intercept-url pattern="/login" access="permitAll" requires-channel="https"/>
            <intercept-url pattern="/resources/**" access="permitAll" />
            <intercept-url pattern="/static/**" access="permitAll" />
               <form-login login-page="/login" 
            <logout />
    	<remember-me />
    <authentication-manager alias="myAuthenticationManager">
    	<authentication-provider user-service-ref="userDetailsService"/>
    <beans:bean id="userDetailsService"
    	  class="service.JpaUserDetailsService" />

        <spring:url value='/j_spring_security_check' var="form_url"/> 
        <!-- Login form -->
        <form name="f" action="${form_url}" method="POST"> 
            <input id="j_username" type="text" name="j_username"/>
    	<span class="submit">
    		<spring:message code="button.submit" var="submit_label"/>
    		<input id="proceed" type="submit" value="${submit_label}"/>

    	public UserDetails loadUserByUsername(final String username)
    		throws UsernameNotFoundException
    		final Query query = Person.findPeopleByUsernameEquals(username); // Using aspectj method
    		try { 
    			final Person user = (Person) query.getSingleResult();
    			final Set<GrantedAuthority> roles = new HashSet<GrantedAuthority>();
    			for (Privilege role : user.getRoles()) {
    				roles.add(new GrantedAuthorityImpl(role.getName()));
    			if (LOGGER.isDebugEnabled()) {
    					"User " + user.getFullName() + " has roles = " + roles);
    			return new NormalUser(user, roles); // NormalUser is a class extends User
    		catch (EmptyResultDataAccessException e) {
    			throw new UsernameNotFoundException("No user called " + username, e);
    		catch (EntityNotFoundException e) {
    			throw new UsernameNotFoundException("No user called " + username, e);
    		catch (NonUniqueResultException e) {
    			throw new IllegalStateException("Multiple users called " + username, e);
    Debug information shows that the code can show the user's full name and its roles, but I get that bad credentials error so I can't login to the web application, any idea why this would happen?
    Last edited by newguy; May 25th, 2011, 08:26 PM.

  • #2
    I've found out the problem after reading some chapters in the book Spring Security 3 written by Peter Mularien. The bad credentials error is thrown if the username doesn't exist or the username and password doesn't match.

    In my case the username is correct because it is in the database. But there is no password field in the database because my web app was previously using OpenID for authentication.

    So there is no password field in my login.jspx or my NormalUser.

    In my NormalUser class the constructor uses "N/A" as the password for its super class constructor
    User(String username, String password, boolean enabled, boolean accountNonExpired,
                boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities)

    So I just need to add this to login.jspx to match what I put in NormalUser as the password and it solves my problem.

    <input id="j_password" type="hidden" name="j_password" value="N/A"/>