Search code examples
springauthenticationspring-securityspring-roo

Difficulties with basic Spring Security Configuration

I'm trying to build a very basic, straight-forward authentication for a spring project.

The problem I'm having is that the application constantly sends me to the "login-failed" page, although I've declared 2 basic accounts (admin and user).

my application-Security.xml:

<http auto-config="true" use-expressions="true">
        <form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login/denied" />
        <logout logout-url="/resources/j_spring_security_logout" />
        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/member/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/login" access="permitAll" />
        <intercept-url pattern="/home/**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/*Details/*" access="hasRole('ROLE_USER')" />

    </http>
    <!-- Configure Authentication mechanism -->
    <authentication-manager alias="authenticationManager">
        <!-- SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
        <authentication-provider>
            <password-encoder hash="sha-256" />
            <user-service>
                <user name="admin" password="admin" authorities="ROLE_ADMIN" />
                <user name="user" password="user" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

my VERY basic login-form:

<form action="/${app_name}/resources/j_spring_security_check" method="POST">
        <label for="j_username">Username</label>
        <input id="j_username" name="j_username" type="text" /><br/>

        <label for="j_password">Password</label>
        <input id="j_password" name="j_password" type="password" /><br/>

        <input type="submit" value="Login" />
    </form>

For now the controller is there only to resolve the URLs for login, login/denied etc.

I'm just starting out with Spring and Roo, so this might just be something obvious that I'm overlooking.

Thanks to anyone taking the time to answer.

Solution

  • Your problem is that you have defined a password-encoder 

    <password-encoder hash="sha-256" />

    while your password is plain text

    <user name="admin" password="admin" authorities="ROLE_ADMIN" />

    Either remove the encoder or (better) specify the password, encoded with the algorithm you have chosen (sha-256)