java - Spring boot with Spring Security j_spring_security_check not allowed

Question

My Spring Security Config

@Configuration
@EnableWebSecurity
@ComponentScan({"org.app.genesis.client.auth"})
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationProvider customAuthProvider;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(customAuthProvider);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .and()
            .formLogin().loginPage("/").failureUrl("/?error")
            .and()
            .logout().logoutSuccessUrl("/?logout")
            .and()
            .csrf();
    }
}

my application.properties

spring.view.prefix: /WEB-INF/jsp/
spring.view.suffix: .jsp
security.basic.enabled=false
logging.level.org.springframework.security=INFO

my Spring boot configuration

@SpringBootApplication
@ComponentScan({"org.app.genesis.client.controller","org.app.genesis.commons.service",
    "org.app.genesis.commons.security","org.app.genesis.inventory.service","org.app.genesis.client.auth"})
@EnableJpaRepositories(basePackages = "org.app.genesis.*.repo")
@EntityScan(basePackages = "org.app.genesis.*.model")
public class Application extends SpringBootServletInitializer {

    public static void main(String[] args) {
        ApplicationContext ctx = SpringApplication.run(Application.class, args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(Application.class);
    }

}

A Gist of my pom.xml

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-tomcat</artifactId>
    <scope>provided</scope>
</dependency>
<!-- Spring Framework Dependencies -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-actuator</artifactId>
</dependency>
<dependency>
    <groupId>org.apache.tomcat.embed</groupId>
    <artifactId>tomcat-embed-jasper</artifactId>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>jstl</artifactId>
    <scope>provided</scope>
</dependency>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

The login form

<form class="form-signin"name="f" action="${pageContext.request.contextPath}/j_spring_security_check" method="POST">
            <fieldset>
                    <input class="form-control form-group" type="text" name="j_username" placeholder="Username">
                    <input class="form-control" type="password" name="j_password" placeholder="Password" >
                    <a class="forgot pull-right" href="#">Forgot password?</a>
                    <button name="submit" class="btn btn-block btn-primary" type="submit">Sign in</button>
            </fieldset>
        </form>

The controller that generates the page

@RequestMapping(value="/")
public String index() {
    return "index";
}

However upon logging in this error shows

I am trying to migrate my existing security.xml configuration on annotation. but however the said error pops up. here is my security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:context="http://www.springframework.org/schema/context"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd
           http://www.springframework.org/schema/context
    http://www.springframework.org/schema/context/spring-context.xsd">

    <context:component-scan base-package="org.brightworks.genesis.client.auth"/>

    <http pattern="/resources/**" security="none"/>
    <http pattern="/index.jsp" security="none"/>

    <http>
        <intercept-url pattern="/api/*" requires-channel="https"/>
        <!--TODO Add RESOURCE PATTERN checker -->
        <form-login login-page="/index.jsp" default-target-url="/dashboard"/>
        <logout />
    </http>

    <!-- Test Login values -->
    <authentication-manager>
        <!--use inMemoryUserDetailsService for faux auth -->
        <authentication-provider ref="customAuthenticationProvider"/>
    </authentication-manager>
</beans:beans>

Just in case you guys need to see the package structure

Have I missed anything in the configurations?

Answer 1

From the below link, you can see that for annotation java config the following things hold

http://spring.io/blog/2013/07/03/spring-security-java-config-preview-web-security/

1. GET /login renders the login page instead of /spring_security_login

2. POST /login authenticates the user instead of /j_spring_security_check

You need to make the following changes to get your security working.

Change your spring security config as follows

    @Override
    protected void configure(HttpSecurity http) throws Exception {  http
        .authorizeRequests()
            .antMatchers("/login").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login/")
            .loginProcessingUrl("/login")
            .failureUrl("/login?error")
            .permitAll();
    }

Your JSP should be(j_spring_security_check replaced with login,j_username replaced with username)

<form class="form-signin"name="f" action="${pageContext.request.contextPath}/login" method="POST">
            <fieldset>
                    <input class="form-control form-group" type="text" name="username" placeholder="Username">
                    <input class="form-control" type="password" name="password" placeholder="Password" >
                    <a class="forgot pull-right" href="#">Forgot password?</a>
                    <button name="submit" class="btn btn-block btn-primary" type="submit">Sign in</button>
            </fieldset>
        </form>

To Specify dashboard as the default target URL, You can do the following.

@Override
public void addViewControllers(ViewControllerRegistry registry) {
    registry.addViewController("/login").setViewName("login");
    registry.addViewController("/").setViewName("dashboard");
    registry.addViewController("/dashboard").setViewName("dashboard");
}