Skip to content
Advertisement

Spring giving 404 on loginProcessingUrl when authenticating login

I’ve configured my Spring app to authenticate logins using the /authenticate url, but each time I try signing in it throws the following error:

org.springframework.web.servlet.DispatcherServlet.noHandlerFound No mapping for POST /authenticate

I’m confused because as far as I’m aware, the loginProcessingUrl should be allowing Spring to handle the authentication in the background without needing me to provide a URL.

Below are my SecurityConfigclass

package com.eyanu.tournamentproject.config;

import com.myProject.tournamentproject.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserService userService;

    @Bean
    public BCryptPasswordEncoder encoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/register**","/*.css", "/tournament**").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .loginProcessingUrl("/authenticate")
                .permitAll()
                .and()
                .logout().permitAll();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**", "/static/**", "/static/css/**", "/js/**", "/images/**","/vendor/**","/fonts/**").anyRequest();
    }

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        authenticationProvider.setPasswordEncoder(encoder());
        authenticationProvider.setUserDetailsService(userService);

        return authenticationProvider;
    }

}

& the form which is trying to submit the login credentials

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>Login</title>
</head>
<body>
<form:form action="${pageContext.request.contextPath}/authenticate" method="POST">
    <p>
    Username: <input type="text" name="username">
    </p>
    <p>
    Password: <input type="password" name="password">
    </p>

    <input type="submit" value="Log in">

</form:form>
</body>
</html>

Advertisement

Answer

As far as I can see, the problem is in this line of code :

@Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**", "/static/**", "/static/css/**", "/js/**", "/images/**","/vendor/**","/fonts/**").anyRequest();
    }

remove .anyRequest()

NOTE: Ignore is a filter that complety bypasses Spring security, which is equivalent to not taking spring security.
So basically, URL requests which you set here web.ignoring().antMatchers(URLs) will be ignored by Spring Security , which means that these URLs will be vulnerable to CSRF, XSS, Clickjacking, etc. If you add .anyRequst() then all request will be ignored by Spring Security (including "/authorize"), and that’s why you are getting 404

7 People found this is helpful
Advertisement