Issue
I've configured my Spring app to authenticate logins using the /authenticate
url, but each time I try signing in it throws the following error:
org.springframework.web.servlet.DispatcherServlet.noHandlerFound No mapping for POST /authenticate
I'm confused because as far as I'm aware, the loginProcessingUrl
should be allowing Spring to handle the authentication in the background without needing me to provide a URL.
Below are my SecurityConfig
class
package com.eyanu.tournamentproject.config;
import com.myProject.tournamentproject.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService;
@Bean
public BCryptPasswordEncoder encoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/register**","/*.css", "/tournament**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/authenticate")
.permitAll()
.and()
.logout().permitAll();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**", "/static/**", "/static/css/**", "/js/**", "/images/**","/vendor/**","/fonts/**").anyRequest();
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setPasswordEncoder(encoder());
authenticationProvider.setUserDetailsService(userService);
return authenticationProvider;
}
}
& the form which is trying to submit the login credentials
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Login</title>
</head>
<body>
<form:form action="${pageContext.request.contextPath}/authenticate" method="POST">
<p>
Username: <input type="text" name="username">
</p>
<p>
Password: <input type="password" name="password">
</p>
<input type="submit" value="Log in">
</form:form>
</body>
</html>
Solution
As far as I can see, the problem is in this line of code :
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**", "/static/**", "/static/css/**", "/js/**", "/images/**","/vendor/**","/fonts/**").anyRequest();
}
remove .anyRequest()
NOTE: Ignore is a filter that complety bypasses Spring security, which is equivalent to not taking spring security.
So basically, URL requests which you set here web.ignoring().antMatchers(URLs)
will be ignored by Spring Security , which means that these URLs will be vulnerable to CSRF, XSS, Clickjacking, etc. If you add .anyRequst()
then all request will be ignored by Spring Security (including "/authorize"
), and that's why you are getting 404
Answered By - Nemanja
Answer Checked By - Katrina (JavaFixing Volunteer)