Announcement Announcement Module
Collapse
No announcement yet.
Web login doesn't work after one failed attempt Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Web login doesn't work after one failed attempt

    Hi,

    I'm setting up a simple form-login to restrict access to parts of a web app. The problem is that it doesn't
    work when the user first logs in with bad credentials and then does it again with correct credentials - they are forced back to the login form.

    Here is what I see in the debugger:
    1. The user tries to log in with incorrect credentials - I see the authenticator give them the right Authorities, and then we go into the URL onLoginSucess, as shown below.
    2. The user then tries to log in with CORRECT credentials. They are again thrown back to the login page.
    When I trace with a debugger, I do see them being given the correct Authorities by the authenticator. After that we are going to the URL onLoginFailure (and then redirected back to the original login). How is it possible that they go to the authentication-failure-url when the authentication succeeded?

    Here is the setup:

    Code:
        <bean id="myAuthenticationProvider"
    		  class="MyAuthenticationProvider"/>
    		  
    	<security:authentication-manager>
    		<security:authentication-provider ref="myAuthenticationProvider"/>
    	</security:authentication-manager>
         
    
    	<security:http pattern="/login/login" security="none"/>
    	<security:http pattern="/login/onLoginFailure" security="none"/>
        
        <security:http>
        	<security:form-login login-page="/login/login"
        						 default-target-url="/login/onLoginSuccess"
        						 always-use-default-target="true"
    							 authentication-failure-url="/login/onLoginFailure"
    							 username-parameter="username"
    							 password-parameter="password"/>
    
    		<security:intercept-url pattern="/**" access="ROLE_USER"/>
    		
    		<security:session-management session-fixation-protection="migrateSession">
    			<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
    		</security:session-management>
        </security:http>
    And here is the custom authentication provider code:
    Code:
    	@Override
    	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    		String username = authentication.getName();
    		String password = (String)authentication.getCredentials();
    		
    		boolean loginSuccess = (calling some custom method here...)
    		
    		if (loginSuccess) {
    			List<GrantedAuthority> grantedAuth = new ArrayList<GrantedAuthority>();
    			grantedAuth.add(new GrantedAuthorityImpl("ROLE_USER"));
    			Authentication authToken = 
    					new UsernamePasswordAuthenticationToken(username, password, grantedAuth);
    			return authToken;
    		}
    		
    		throw new BadCredentialsException(username);
    	}
    Thanks.
Working...
X