I have trouble in coupling Spring Security authentication with jQuery. Actually script does not even run - nothing happens when i click on
In browser's console i found message: Uncaught SyntaxError: Unexpected token < in login.js:1.
I've read some questions answered earlier and realised that this is problem concerning wrong ContentType returned, but i don't know how to fix it. I think that it may be also linked to Spring Security resource protection. I added config line posted below to turn it off, that made at least css working.
It is also weird that when i go to Sources in console, then click on login.js html code appears rather than js code.
I kindly ask for help with putting it all together :)
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**").anyRequest();
}
$(document).ready(function(){
$("#login").click(function(){
var email = $("#username").val();
var password = $("#password").val();
// Checking for blank fields.
if( email =='' || password ==''){
$('input[type="text"],input[type="password"]').css("border","2px solid red");
$('input[type="text"],input[type="password"]').css("box-shadow","0 0 3px red");
alert("Please fill all fields...!!!!!!");
}else {
$.post("login",{username: email, password: password},
function(data) {
if(data=='Invalid Email.......') {
$('input[type="text"]').css({"border":"2px solid red","box-shadow":"0 0 3px red"});
$('input[type="password"]').css({"border":"2px solid #00F5FF","box-shadow":"0 0 5px #00F5FF"});
alert(data);
}else if(data=='Email or Password is wrong...!!!!'){
$('input[type="text"],input[type="password"]').css({"border":"2px solid red","box-shadow":"0 0 3px red"});
alert(data);
} else if(data=='Successfully Logged in...'){
$("form")[0].reset();
$('input[type="text"],input[type="password"]').css({"border":"2px solid #00F5FF","box-shadow":"0 0 5px #00F5FF"});
alert(data);
} else{
alert(data);
}
});
}
});
});
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<html>
<head>
<title>Login page</title>
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>
<link rel="stylesheet" type="text/css" href="style.css"></link>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
<script src="login.js" type="text/javascript"></script>
</head>
<body>
<h1>Login page</h1>
<form>
<label for="username">Username</label>:
<input type="text" id="username" name="username" autofocus="autofocus"/> <br/>
<label for="password">Password</label>:
<input type="password" id="password" name="password"/> <br/>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
<input type="button" id="login" value="Log in"/>
</form>
</body>
</html>
#Controller
public class Login {
#RequestMapping(value = "/login", method = RequestMethod.GET)
public String login() {
return "login";
}
#RequestMapping(value = "/homepage", method = RequestMethod.GET)
public String homepage() {
return "homepage";
}
}
#EnableWebSecurity
#Configuration
public class SecConfig extends WebSecurityConfigurerAdapter {
#Autowired
private MyUserDetailsService userDetailsService;
#Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(authenticationProvider());
}
#Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authProvider
= new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService);
authProvider.setPasswordEncoder(encoder());
return authProvider;
}
#Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder(11);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login*").anonymous()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.html")
.defaultSuccessUrl("/homepage.html")
.failureUrl("/login.html?error=true")
.and()
.logout().logoutSuccessUrl("/login.html");
}
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**").anyRequest();
}
}
EDIT:
When i deleted invocation of anyRequest(); method in web.ignoring().antMatchers("/resources/**").anyRequest(); there is another error:
Refused to execute script from 'http://localhost:8080/login.js' because its MIME type ('text/html') is
not executable, and strict MIME type checking is enabled.
I guess that maybe the trouble is due to csrf. There is a snippet where in fact it is, but I think that in your jquery post you are not sending it.
The Unexpected token < message could be due to CSRFFilter sending html encoded http 401 or 403 response.
You could make a try disabling csrf in security configuration to check wether it works or not, and if it finally works this way, then you could make the proper changes to turn it on without breaking the login post
We must pass header and tokens in all post request,
var token = $("meta[name='_csrf']").attr("content");
var header =
$("meta[name='_csrf_header']").attr("content");
xhttp.setRequestHeader(header, token);
xhttp.send();
Related
there is always 403 error when i log in even with correct username and password
html:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<head>
<link rel="stylesheet" th:href="#{/css/stylesheet.css}"/>
<title>Spring Security Example </title>
</head>
<body>
<header th:insert="navbar :: header"></header>
<form th:action="#{/login}" method="post">
<div><label> User Name : <input type="text" name="username"/> </label></div>
<div><label> Password: <input type="password" name="password"/> </label></div>
<div><input type="submit" value="Sign In"/></div>
</form>
</body>
</html>
configuration:
#Configuration
#EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/css/**").authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/")
.defaultSuccessUrl("/")
.permitAll();
}
#Bean
#Override
protected UserDetailsService userDetailsService() {
return new InMemoryUserDetailsManager(
User.builder()
.username("admin")
.password(passwordEncoder().encode("admin"))
.roles("ADMIN")
.build()
);
}
#Bean
protected PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(12);
}
}
controller:
#Controller
public class WebController {
#Autowired
private UserRepository userRepository;
#GetMapping("/")
public String getHome(Model model) {
return "home";
}
#GetMapping("/registration")
public String getRegistration(Model model) {
return "registration";
}
#GetMapping("/add")
public String getAddPicture(Model model) {
return "addPicture";
}
#GetMapping("/login")
public String getLogin(Model model) {
return "login";
}
#GetMapping("/pictures")
public String getPicture(Model model) {
return "pictures";
}
#PostMapping("/registration")
public String addNewUser (#RequestParam String password, #RequestParam String email, #RequestParam String username) {
User user = new User(password, email, username, true);
userRepository.save(user);
return "home";
}
}
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
There was an unexpected error type=Forbidden, status=403
Forbidden blablalblalallbmrtfg It looks like your post is mostly code; please add some more details.It looks like your post is mostly code; please add some more details.It looks like your post is mostly code; please add some more details.It looks like your post is mostly code; please add some more details.It looks like your post is mostly code; please add some more details.
I'm new to Thymeleaf, but worked with JSPs before, so that should be the same principle I would have thought.
Anyhow... I'm trying to put together the following Spring security tutorial https://spring.io/guides/gs/securing-web/.
It uses Thymeleaf for the frontend page rendering, and the following Login page does not play ball:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<head>
<title>Spring Security Example </title>
</head>
<body>
<div th:if="${param.error}">
Invalid username and password.
</div>
<form th:action="#{/login.html}" method="post">
<div><label> User Name : <input type="text" name="username"/> </label></div>
<div><label> Password: <input type="password" name="password"/> </label></div>
<div><input type="submit" value="Sign In"/></div>
</form>
</body>
</body>
</html>
Then, I have the following Spring security configuration class:
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home", "/greeting").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/homepage.html", true)
.failureUrl("/login.html?error=true")
.permitAll()
.and()
.logout()
.permitAll();
}
#Bean
#Override
public UserDetailsService userDetailsService() {
UserDetails user =
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
The page with the form displays just fine, but when I provide the above credentials (user/password), it does not log the user in. It basically gets stuck in a loop demanding to login; there is a homepage.html, but it's never redirected to.
There is nothing in the logs, no errors or any messages.
Trying to debug it, I've added the following controller:
#Controller
#Slf4j
public class GreetingController {
#PostMapping("/login")
public String greeting(#RequestParam(name = "username", value = "xxx") String username, #RequestParam(name = "password", value = "yyy") String password, Model model) {
log.info("U " + username + " P " + password);
model.addAttribute("username", username);
model.addAttribute("password", password);
return "login";
}
}
but when trying to invoke http://localhost:8080/login, I get the following error:
There was an unexpected error (type=Method Not Allowed, status=405).
Request method 'GET' not supported
org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported
So, having tried all above, I'm kinda stuck now and not sure what to try next.
How do I debug such a login page to find out what's going on? Also, could anyone spot any problems with the code I've provided above so far?
I want to have more control over the logging in and out, via custom controller and login page.
My SecurityConfiguration code currently looks like this:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Autowired
private SpringDataJpaUserDetailsService userDetailsService;
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(this.userDetailsService)
.passwordEncoder(Manager.PASSWORD_ENCODER);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/built/**", "/main.css", "/login.css").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/loginSecure")
.defaultSuccessUrl("/index", true)
.permitAll()
.usernameParameter("username").passwordParameter("password")
.and()
.csrf().disable()
.logout()
.permitAll();
}
}
My login config in my Controller:
#RequestMapping(value = "/login")
public String login() {
return "login";
}
My loginSecure mapping in my controller:
#RequestMapping(value="/loginSecure", method = RequestMethod.POST)
public String login(#RequestAttribute("username") String userName, #RequestAttribute("password") String password) {
//does the authentication
final Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
userName,
password
)
);
SecurityContextHolder.getContext().setAuthentication(authentication);
return "index";
}
My login.html:
<form class="login100-form validate-form" action="/loginSecure" method="post">
<span class="login100-form-title p-b-26">
Welcome
</span>
<span class="login100-form-title p-b-48">
<i class="zmdi zmdi-font"></i>
</span>
<div class="wrap-input100 validate-input" data-validate = "Valid email is: a#b.c">
<input class="input100" type="text" id="username" name="username"/>
<span class="focus-input100" data-placeholder="Email/Username"></span>
</div>
<div class="wrap-input100 validate-input" data-validate="Enter password">
<span class="btn-show-pass">
<i class="zmdi zmdi-eye"></i>
</span>
<input class="input100" type="password" id="password" name="password"/>
<span class="focus-input100" data-placeholder="Password"></span>
</div>
<div class="container-login100-form-btn">
<div class="wrap-login100-form-btn">
<div class="login100-form-bgbtn"></div>
<button class="login100-form-btn">
Login
</button>
</div>
</div>
</form>
When i submit the form, in chrome dev tools it submits as loginSecure? with url encoded but it just redirects back to the login.html again.
Edit: Removed the extra form from login.html and added csfr().disable to securityConfiguration. Added loginProcessUrl to httpSecurity and this fixed it. Above code works.
If you create a custom login html and a custom authenticator then you need to add this to the HttpSecurity config -> .loginProcessingUrl("/loginSecure")
Good example here -> https://www.boraji.com/spring-security-4-custom-login-from-example
From what you wrote I guess that the problem is that after clicking "Login" your application is hit by two request.
I think that problem is that your login page has two forms one inside another. So when you click "Login" both forms sends their requests. You can verify that in Chrome Developer Tools.
As you can read here HTML doesn't allow nested forms Is it valid to have a html form inside another html form?
hi i'm working in a spring mvc project and i'm getting this error when i hit the button in my form
500 (Internal Server Error) jquery.min.js:6
x.ajaxTransport.x.support.cors.e.crossDomain.send jquery.min.js:6
x.extend.ajax AddUser:19
doAjaxPost AddUser:41
onclick
i'm trying to do a simple AJAX JQuery example that adds users to a list but i get that error when i press the add button in my form
this is my controller class:
#Controller
public class UserListController {
private List<User> userList = new ArrayList<User>();
#RequestMapping(value="AddUser",method=RequestMethod.GET)
public String showForm(){
return "AddUser";
}
#RequestMapping(value="AddUser",method=RequestMethod.POST)
public #ResponseBody String addUser(#ModelAttribute(value="user") User user, BindingResult result )
{
String returnText;
if(!result.hasErrors())
{
userList.add(user);
returnText = "User has been added to the list. Total number of users are " + userList.size();
}
else
{
returnText = "Sorry, an error has occur. User has not been added to list.";
}
return returnText;
}
#RequestMapping(value="ShowUsers")
public String showUsers(ModelMap model)
{
model.addAttribute("Users", userList);
return "ShowUsers";
}
}
and this is my AddUser.jsp page
<%# page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Add Users using ajax</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.2/jquery.min.js"></script>
<!-- <script src="resources/js/libs/jquery-2.0.2.min.js"></script> -->
<script type="text/javascript">
function doAjaxPost() {
// get the form values
var name = $('#name').val();
var education = $('#education').val();
$.ajax({
type: "POST",
url: "AddUser",
data: "name=" + name + "&education=" + education,
success: function(response){
// we have the response
$('#info').html(response);
$('#name').val('');
$('#education').val('');
},
error: function(e){
alert('Error: ' + e);
}
});
}
</script>
</head>
<body>
<h1>Add Users using Ajax ........</h1>
<table>
<tr><td>Enter your name : </td><td> <input type="text" id="name"><br/></td></tr>
<tr><td>Education : </td><td> <input type="text" id="education"><br/></td></tr>
<tr><td colspan="2"><input type="button" value="Add Users" onclick="doAjaxPost()"><br/></td></tr>
<tr><td colspan="2"><div id="info" style="color: green;"></div></td></tr>
</table>
Show All Users
</body>
</html>
and my MvcConfiguration class since i'm using a java based configuration and not using XML
#EnableWebMvc
#Configuration
#ComponentScan(basePackages = { "controllers" })
public class MvcConfig extends WebMvcConfigurerAdapter
{
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/resources/**").addResourceLocations("/resources/");
}
#Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
configurer.enable();
}
// JSP VIEW-RESOLVER
#Bean
public InternalResourceViewResolver jspViewResolver() {
InternalResourceViewResolver bean = new InternalResourceViewResolver();
bean.setOrder(2);
bean.setPrefix("/WEB-INF/views/");
bean.setSuffix(".jsp");
return bean;
}
}
EDIT: i starter a new project just for the sake of trying to know what error i'm having, i delete spring secuirty in my application, but i still can figure out whats wrong.
1) i actually dont delete spring security i just starte a new project to try to solve my url problem
2) i change my controllers and the URL attribute in my ajax script
new RequestMapping controllers:
#RequestMapping(value="AddUser",method=RequestMethod.GET)
i deleted the "/" in the value="AddUser"
i dont have a "/" in any of my controllers if put a "/" in the controllers i have the same 500 Internal server error
This might be because of the CSRF protection which is enabled by default in Java configuration. Try in your configuration...
#Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.csrf().disable();
}
Let me know if this works.
EDIT**
To include CSRF token in AJAX request, if you are using JSON, you need to put it on the http header. Sample JSP example typically would be...
<html>
<head>
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>
</head>
Then in your javascript call, get this parameters and add it to XMLHttpRequest's header.
Hope this helps.
Further reading
In my case, i had to add the below dependency to my pom
<dependency> <groupId>com.google.code.gson</groupId> <artifactId>gson</artifactId> <version>2.2.2</version> </dependency>
The Goal: I'd like to allow the user to access any page on my webapp, except for the /account page (unless they're logged in). I'd like this logging in process to be quite secure, and therefore have turned to using Spring Security in conjunction with the BCryptPasswordEncoder to handle this process. This webapp is being developed using Spring's pure-Java approach (no xml configurations whatsoever).
What Works: Going to /account correctly redirects the user to the /login page. The user can also correctly go to the / page without being redirected.
The Problem: I'm trying to configure Spring Security with my own custom UserDetailsService, but whenever I attempt to log in through the form on my JSP view, the loadUserByUsername(String username) method that I overwrote in said UserDetailsService does not appear to be called. In addition, it seems that when the user logs in with supposedly valid credentials, their authentication is not being stored in the Spring Security's current session and instead remain ROLE_ANONYMOUS.
WebSecurityConfigurerAdapter:
#EnableWebSecurity
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
#Autowired
private UserDetailsServiceImpl userDetailsServiceImpl;
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth
.userDetailsService(userDetailsServiceImpl)
.passwordEncoder(bCryptPasswordEncoder());
}
#Override
public void configure(WebSecurity web) throws Exception
{
web
.ignoring()
.antMatchers("/css/**")
.antMatchers("/js/**");
}
#Override
protected void configure(HttpSecurity http) throws Exception
{
http
.authorizeRequests()
.antMatchers("/account").hasAnyRole("ROLE_USER", "ROLE_ADMIN")
.anyRequest().authenticated()
.and()
.authorizeRequests()
.antMatchers("/**").permitAll();
http
.formLogin()
.usernameParameter("j_username")
.passwordParameter("j_password")
.loginPage("/login")
.defaultSuccessUrl("/")
.failureUrl("/loginfailed")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.permitAll();
}
#Bean #Override
public AuthenticationManager authenticationManagerBean() throws Exception
{
return super.authenticationManagerBean();
}
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
UserDetailsService:
#Service("userService")
public class UserDetailsServiceImpl implements UserDetailsService
{
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
username = username.toLowerCase();
try
{
Account account = testAccount(); // See below for more details
if(account == null)
{
throw new UsernameNotFoundException("Could not find user '" + username + "' in the database.");
}
List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
for(Role r : account.getRoles())
{
auths.add(new SimpleGrantedAuthority(r.getRole()));
}
WebUser user = null;
try
{
user = new WebUser(account.getUserID(), username, account.getPassword(), true, true, true, true, auths);
}
catch(Exception e)
{
e.printStackTrace();
}
return user;
}
catch(Exception e)
{
e.printStackTrace();
throw new UsernameNotFoundException(username + " not found", e);
}
}
private Account testAccount()
{
Account acc = new Account();
acc.setUserID(1);
acc.setUsername("admin");
acc.setPassword("$2a$10$ETHSfGAR8FpNTyO52O7qKuoo2/8Uqdwcqq70/5PN4.8DXTR6Ktiha");
acc.setDescription("No description.");
acc.setInfluence(9001);
acc.setJoinDate("03-15-2014");
List<Role> roles = new ArrayList<Role>();
roles.add(new Role(Role.ADMIN)); // Role.ADMIN = "ROLE_ADMIN"
roles.add(new Role(Role.USER)); // Role.USER = "ROLE_USER"
return acc;
}
}
login.jsp:
<%# page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<base href="${pageContext.request.scheme}://${pageContext.request.serverName}:${pageContext.request.serverPort}${pageContext.request.contextPath}/" />
<title>Login</title>
<link rel="stylesheet" type="text/css" href="css/main.css" />
<script type="text/javascript" src="js/main.js"></script>
</head>
<body onload="document.loginForm.j_username.focus();">
<div id="page_wrap">
<h2>Login Page</h2>
<div id="container">
<div id="login">
<form name="loginForm" action="<c:url value='j_spring_security_check' />" method="POST">
<h5>Log in to your account</h5>
<p>
<label for="name">Username: </label>
<input type="text" name="j_username" />
</p>
<p>
<label for="name">Password: </label>
<input type="password" name="j_password" />
</p>
<p>
<input type="submit" id="submit" value="Log In" name="submit" />
</p>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<c:if test="${not empty error}">
<div class="errorblock">
Your login attempt was not successful, please try again.<br>
Caused: ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</div>
</c:if>
</div><!--end login-->
</div><!--end container-->
</div><!--end page_wrap-->
</body>
</html>
The Input:
Username Input Field ("j_username") : admin
Password Input Field ("j_password") : password
Note: The hashed password I use in UserDetailsServiceImpl was generated using bCryptPasswordEncoder.encode("password");
The Results:
Remains on the /login page, does not redirect to / as it should on a successful login.
The Output:
12726 [http-bio-8080-exec-9] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
12726 [http-bio-8080-exec-9] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#66201d6d. A new one will be created.
...
12727 [http-bio-8080-exec-9] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /j_spring_security_check; Attributes: [authenticated]
12727 [http-bio-8080-exec-9] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#6faeba70: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffbcba8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 9626C55509CC1073AC2B5A8F65B2A585; Granted Authorities: ROLE_ANONYMOUS
12728 [http-bio-8080-exec-9] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#14cef147, returned: -1
12728 [http-bio-8080-exec-9] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
From the log it looks like you are hitting an access denied on "/j_spring_security_check". That's understandable because you didn't mark it as unprotected. I think you may just be making a false assumption about the default login processing URL (/login with #Configuration iirc). If you post to "/login" instead does it work?