I’ve configured my Spring app to authenticate logins using the /authenticate
url, but each time I try signing in it throws the following error:
org.springframework.web.servlet.DispatcherServlet.noHandlerFound No mapping for POST /authenticate
I’m confused because as far as I’m aware, the loginProcessingUrl
should be allowing Spring to handle the authentication in the background without needing me to provide a URL.
Below are my SecurityConfig
class
package com.eyanu.tournamentproject.config; import com.myProject.tournamentproject.service.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserService userService; @Bean public BCryptPasswordEncoder encoder() { return new BCryptPasswordEncoder(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(authenticationProvider()); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/register**","/*.css", "/tournament**").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/authenticate") .permitAll() .and() .logout().permitAll(); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/resources/**", "/static/**", "/static/css/**", "/js/**", "/images/**","/vendor/**","/fonts/**").anyRequest(); } @Bean public DaoAuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); authenticationProvider.setPasswordEncoder(encoder()); authenticationProvider.setUserDetailsService(userService); return authenticationProvider; } }
& the form which is trying to submit the login credentials
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head> <title>Login</title> </head> <body> <form:form action="${pageContext.request.contextPath}/authenticate" method="POST"> <p> Username: <input type="text" name="username"> </p> <p> Password: <input type="password" name="password"> </p> <input type="submit" value="Log in"> </form:form> </body> </html>
Advertisement
Answer
As far as I can see, the problem is in this line of code :
@Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/resources/**", "/static/**", "/static/css/**", "/js/**", "/images/**","/vendor/**","/fonts/**").anyRequest(); }
remove .anyRequest()
NOTE: Ignore is a filter that complety bypasses Spring security, which is equivalent to not taking spring security.
So basically, URL requests which you set here web.ignoring().antMatchers(URLs)
will be ignored by Spring Security , which means that these URLs will be vulnerable to CSRF, XSS, Clickjacking, etc. If you add .anyRequst()
then all request will be ignored by Spring Security (including "/authorize"
), and that’s why you are getting 404