Search code examples
springspring-bootspring-mvcspring-securitycsrf

How can I fix the login issue which is not working after CSRF is enabed with Spring Boot and Spring Security?

I have a Spring Boot application. I am using Spring Security. When I tried to enable to CSRF, the login functionality failed. It was working before enabling spring security. Please find the attachment and below steps which I did to enable CSRF. How can I fix this issue?

Security configuration

http
    .authorizeRequests()
    .antMatchers("/ui/static/assets/**").permitAll()
     .antMatchers("/register","/forgotPassword").permitAll()
    .anyRequest().authenticated()
    .and()
    .formLogin()
    .loginPage("/login")
    .permitAll()
    .defaultSuccessUrl("/addDocument")
    .failureHandler(customAuthenticationFailureHandler)
    .and().exceptionHandling().accessDeniedPage("/Access_Denied")
    .and().logout().permitAll().invalidateHttpSession(true);

login.jsp

<form action="${pageContext.servletContext.contextPath}/login" class="form-horizontal" method="post" id="formLogin" data-parsley-validate="">
    <sec:csrfInput />
    <input class="form-control input-lg" type="email" name="username" id="username"  placeholder="Enter your email" data-parsley-required="true">
    <input class="form-control input-lg" type="password" id="pwd" name="password" placeholder="Enter your password" data-parsley-required="true">
    <button class="btn w-lg btn-rounded btn-lg btn-primary waves-effect waves-light" id="signInBtn" type="submit" value="Next" >Sign In
</form>

addDocument.jsp

<form:form method="POST" action="${pageContext.servletContext.contextPath}/submitDocument" id="fileUploadForm" enctype="multipart/form-data" modelAttribute="documentSignature">
    <form:hidden path="rewrite" value="true" />
    <sec:csrfInput/>

    <div class="form-group row">
        <label class="control-label col-md-3">Upload Document <span class="text-danger">*</span></label>
        <div class="controls col-md-9">
            <div class="form-group">
                  <input type="file" class="filestyle" id="fileUpload" name="file" data-buttonname="btn-primary" data-iconname="fa fa-upload">
            </div>
        </div>
    </div>

    <div class="form-group row">
         <label class="col-lg-12 control-label ">(*) Mandatory</label>
    </div>

    <div class="actions clearfix">
        <!-- <input class="btn btn-primary customButton" id="btnAddDocument" type="submit" value="Next" >
        <i class="fas fa-spinner fa-spin" id="loadingBtn" style="display:none;"></i>     -->
        <button class="btn customButton btn-primary waves-effect waves-light" id="btnAddDocument" type="submit" value="Next">Next
        <i class="fas fa-spinner fa-spin" id="loadingBtn" style="display:none;"></i></button>
    </div>
</form:form>

Enter image description here

Enter image description here

Enter image description here

Solution

  • If you would define your custom login page then:
    In loginPage("/showLoginPage") you should pass url for mapping to your controller. And you need to add loginProcessingUrl("/authenticate") for submit request. (you could see javadoc about FormLoginConfigurer.loginPage())
    Example: your possible login controller

       @Controller
    public class LoginController {

        @GetMapping("/showLoginPage")
        public String showLoginPage() {
            return "login";  // your login jsp page
        }
    }

    In SecurityConfuration 

    protected void configure(HttpSecurity http) throws Exception {
http. 
...
.loginPage("/showLoginPage")
.loginProcessingUrl("/authenticate")

    In JSP page login.jsp:

     <form:form action="${pageContext.request.contextPath}/authenticate" method="post">   
    <%-- authenticate=loginProcessingUrl-->
    ...  
</form:form>