Announcement Announcement Module
Collapse
No announcement yet.
Authentication-failure-url Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication-failure-url

    Good afternoon,
    I'm implementing a project with Spring Security and Hibernate that you simply have a registration page and login.
    my login page is not working as it should ...
    The user exists in the database and userDetailsService me find it but I am always redirected to the login page with an error ...

    my file application-springsecurity.xml is:

    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:context="http://www.springframework.org/schema/context"
    	    xmlns:security="http://www.springframework.org/schema/security"
    		xmlns:mvc="http://www.springframework.org/schema/mvc"
    	xmlns:p="http://www.springframework.org/schema/p" 
    	xmlns:tx="http://www.springframework.org/schema/tx"
    	
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
    	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    	http://www.springframework.org/schema/security
    	http://www.springframework.org/schema/security/spring-security-3.0.xsd
    	http://www.springframework.org/schema/context 
    	http://www.springframework.org/schema/context/spring-context-3.0.xsd
    	http://www.springframework.org/schema/security 
    			http://www.springframework.org/schema/security/spring-security-3.0.xsd
    			http://www.springframework.org/schema/mvc 
    			http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
    			http://www.springframework.org/schema/tx
            http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
    
    
    <!-- A custom service where Spring will retrieve users and their corresponding access levels  -->
    	<beans:bean id="customUserDetailsService" class="main.esempio.service.CustomUserDetailsService"/>
    	
    
    
    	
    <security:http auto-config="true" use-expressions="true" access-denied-page="/denied" >
    	
    		<security:intercept-url pattern="/login" access="permitAll"/>
    		<security:intercept-url pattern="/common" access="hasRole('ROLE_USER')"/>
    		
    		<security:form-login
    				login-page="/login" 
    				authentication-failure-url="/login?error=true" 
    				default-target-url="/common"
    				login-processing-url="/j_spring_security_check"/>
    			
    		<security:logout 
    				invalidate-session="true" 
    				logout-success-url="/login" 
    				logout-url="/logout"/>
    	
    	</security:http>
    	
    	<!-- Declare an authentication-manager to use a custom userDetailsService -->
    	<security:authentication-manager>
    	        <security:authentication-provider user-service-ref="customUserDetailsService">
    	        		<security:password-encoder ref="passwordEncoder"/>
    	        </security:authentication-provider>
    	</security:authentication-manager>
    	
    	<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
    	<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
    
     
      	
    	<!-- Activates various annotations to be detected in bean classes -->
    	<context:annotation-config />
    	
    	<!-- Scans the classpath for annotated components that will be auto-registered as Spring beans.
    	 For example @Controller and @Service. Make sure to set the correct base-package-->
    	<context:component-scan base-package="main.esempio" />
    	
    		
    </beans:beans>
    the class that implements userDetailsService is:

    Code:
    package main.esempio.service;
    
    
    import java.util.ArrayList;
    import java.util.Collection;
    import java.util.List;
    
    import main.esempio.dominio.Utenti;
    
    
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.dao.DataAccessException;
    import org.springframework.security.core.GrantedAuthority;
    import org.springframework.security.core.authority.GrantedAuthorityImpl;
    import org.springframework.security.core.userdetails.User;
    import org.springframework.security.core.userdetails.UserDetails;
    import org.springframework.security.core.userdetails.UserDetailsService;
    import org.springframework.security.core.userdetails.UsernameNotFoundException;
    import org.springframework.stereotype.Service;
    import org.springframework.transaction.annotation.Transactional;
    
    import main.esempio.dao.UtentiDAO;
    
    /**
     * A custom service for retrieving users from a custom datasource, such as a database.
     * <p>
     * This custom service must implement Spring's {@link UserDetailsService}
     */
    @Service
    @Transactional
    public class CustomUserDetailsService implements UserDetailsService {
    	
    
    	@Autowired
    	private UtentiDAO userDAO ;
    	
    	/**
    	 * Retrieves a user record containing the user's credentials and access. 
    	 */
    
    	
    	/**
    	 * Retrieves the correct ROLE type depending on the access level, where access level is an Integer.
    	 * Basically, this interprets the access value whether it's for a regular user or admin.
    	 * 
    	 * @param access an integer value representing the access of the user
    	 * @return collection of granted authorities
    	 */
    	 public Collection<GrantedAuthority> getAuthorities(Integer access) 
    	 {
    		 System.out.println("sono in getAutority");
    			// Create a list of grants for this user
    			List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);
    			
    			// All users are granted with ROLE_USER access
    			// Therefore this user gets a ROLE_USER by default
    			authList.add(new GrantedAuthorityImpl("ROLE_USER"));
    			
    			// Check if this user has admin access 
    			// We interpret Integer(1) as an admin user
    			if ( access.compareTo(1) == 0) {
    				// User has admin access
    				authList.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
    			}
    
    			// Return list of granted authorities
    			return authList;
    	  }
    
    	@Override
    	public UserDetails loadUserByUsername(String username)
    			throws UsernameNotFoundException, DataAccessException
    			{
    		System.out.println("sono in loadUserByUsername ");
    		// TODO Auto-generated method stub
    		// Declare a null Spring User
    				UserDetails user = null;
    				
    				try {
    					
    					// Search database for a user that matches the specified username
    					// You can provide a custom DAO to access your persistence layer
    					// Or use JDBC to access your database
    					// DbUser is our custom domain user. This is not the same as Spring's User
    					Utenti utenti = userDAO.findUtente(username);
    					// Populate the Spring User object with details from the dbUser
    					// Here we just pass the username, password, and access level
    					// getAuthorities() will translate the access level to the correct role type
    					System.out.println("sono nel try");
    					user =  new User(
    							utenti.getUtentiName(), 
    							utenti.getPassword().toLowerCase(),
    							true,
    							true,
    							true,
    							true,
    							getAuthorities(utenti.getAccess()) );
    					
    
    				} catch (Exception e) {
    					throw new UsernameNotFoundException("Error in retrieving user");
    				}
    				
    				// Return user to Spring for processing.
    				// Take note we're not the one evaluating whether this user is authenticated or valid
    				// We just merely retrieve a user that matches the specified username
    				System.out.println("ritorno l'utente trovato");
    				System.out.println("l'utente trovato ha autority"+user.getAuthorities().toString());
    				return user;
    	}
    }
    my login and logout controller is:

    Code:
    package main.esempio.controller;
    
    
    import org.springframework.stereotype.Controller;
    import org.springframework.ui.ModelMap;
    import org.springframework.web.bind.annotation.RequestMapping;
    import org.springframework.web.bind.annotation.RequestMethod;
    import org.springframework.web.bind.annotation.RequestParam;
    
    /**
     * Handles and retrieves the login or denied page depending on the URI template
     */
    @Controller
    public class LoginLogoutController {
            
    
    	/**
    	 * Handles and retrieves the login JSP page
    	 * 
    	 * @return the name of the JSP page
    	 */
    	@RequestMapping(value = "login", method = RequestMethod.GET)
    	public String getLoginPage(@RequestParam(value="error", required=false) boolean error, 
    			ModelMap model) {
    
    		// Add an error message to the model if login is unsuccessful
    		// The 'error' parameter is set to true based on the when the authentication has failed. 
    		// We declared this under the authentication-failure-url attribute inside the spring-security.xml
    		/* See below:
    		 <form-login 
    				login-page="/auth/login" 
    				authentication-failure-url="/auth/login?error=true" 
    				default-target-url="/main/common"/>
    		 */
    		//System.out.println("l'errore  "+logger.getAdditivity());
    		System.out.println("sono in loginlogoutController ");
    		
    		System.out.println("il modello "+model.toString());
    		if (error == true) {
    			//logger.setAdditivity(false);	
    			System.out.println("l'errore c'");
    			// Assign an error message
    			model.put("error", "Utente non valido Riprovare");
    		} else {
    			System.out.println("non c' errore");
    			model.put("error", "");
    			//return "common";
    		}
    		System.out.println("ritorno login");
    		// This will resolve to /WEB-INF/jsp/loginpage.jsp
    		return "login";
    	}
    
    	
    	
    	/**
    	 * Handles and retrieves the denied JSP page. This is shown whenever a regular user
    	 * tries to access an admin only page.
    	 * 
    	 * @return the name of the JSP page
    	 */
    	@RequestMapping(value = "denied", method = RequestMethod.GET)
     	public String getDeniedPage() {
    		
    		System.out.println("sono in denied e ritorno denied");
    		// This will resolve to /WEB-INF/jsp/deniedpage.jsp
    		return "deniedpage";
    	}
    }
    I know someone explain why not in never before / common and I always go to authentication-failure-url = "/ login? error = false"??
Working...
X