Migrating Spring Security 3.1 with XML config to 4.0.1 with Java config causes HTTP Status 401 - Authentication Failed: Bad credentials

Question

My spring security is not working. I migrate from spring-security xml config file (version 3.1) to java config(version 4.0.1). As soon as I login it gives me this page : HTTP Status 401 - Authentication Failed: Bad credentials

I will post my configuration below:

web.xml

   <?xml version="1.0" encoding="UTF-8"?>
   <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"       xmlns="http://java.sun.com/xml/ns/javaee"    xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">


     <context-param>
          <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
          <param-value>.xhtml</param-value>
     </context-param>

     <context-param>
        <param-name>javax.faces.VALIDATE_EMPTY_FIELDS</param-name>
        <param-value>false</param-value>
     </context-param>

     <welcome-file-list>
        <welcome-file>login.xhtml</welcome-file>
     </welcome-file-list>
     <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
     </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>

     <context-param>
          <param-name>com.sun.faces.expressionFactory</param-name>
          <param-value>com.sun.el.ExpressionFactoryImpl</param-value>
     </context-param>

    <servlet>
        <description>generated-servlet</description>
        <servlet-name>CAR Servlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:CAR-web-context.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <listener>
        <listener-class>
            org.springframework.security.web.session.HttpSessionEventPublisher
        </listener-class>
    </listener>
    <listener>
        <listener-class>
            org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>


    <filter>
        <description>
            generated-spring-security-session-integration-filter
        </description>
        <filter-name>SpringSecuritySessionIntegrationFilter</filter-name>
        <filter-class>
            org.springframework.security.web.context.SecurityContextPersistenceFilter</filter-class>
    </filter>
    <filter>
        <description>generated-persistence-filter</description>
        <filter-name>CARFilter</filter-name>
        <filter-class>
            org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
        <init-param>
            <param-name>entityManagerFactoryBeanName</param-name>
            <param-value>CAR</param-value>
        </init-param>
    </filter>
    <filter>
        <description>generated-sitemesh-filter</description>
        <filter-name>Sitemesh Filter</filter-name>
        <filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class>
    </filter>



    <filter-mapping>
        <filter-name>SpringSecuritySessionIntegrationFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>HRBFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>Sitemesh Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>


    <persistence-unit-ref>
        <persistence-unit-ref-name>persistence/CAR</persistence-unit-ref-name>
        <persistence-unit-name>CAR</persistence-unit-name>
      </persistence-unit-ref>

      <persistence-context-ref>
        <persistence-context-ref-name>persistence/CAR</persistence-context-ref-name>
        <persistence-unit-name>CAR</persistence-unit-name>
    </persistence-context-ref>

</web-app>

    @EnableTransactionManagement
    @ComponentScan({ "com.car" })
    @ImportResource({ "classpath:persistence.xml" })
    public class PersistenceJPAConfigXml {

    public PersistenceJPAConfigXml() {
       super();
    }

    }

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter   {


   @Autowired
   @Qualifier("userDetailsService")
   UserDetailsService userDetailsService;

   @Autowired
   LoginSuccess loginSuccess;

   @Autowired
   LoginFailure loginFailure;


   @Autowired
   public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
       ShaPasswordEncoder encoder = new ShaPasswordEncoder();
       auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
    }

       @Override
        protected void configure(HttpSecurity http) throws Exception {

           http.authorizeRequests()
        .antMatchers("/login.xhtml").permitAll()
        .antMatchers("/jsf/**").access("isAuthenticated()")
        .antMatchers("/run**").access("isAuthenticated()")
           .and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml")
        .successHandler(loginSuccess)
        .failureHandler(loginFailure).defaultSuccessUrl("/jsf/dashboard.xhtml")
        .and().csrf()
         .and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true);
    }
}

   import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;

   public class SecurityWebApplicationInitializer extends            AbstractSecurityWebApplicationInitializer {

   }

   @Configuration
   public class AppConfig {
   @Bean
   public LoginSuccess loginSuccess() {
          return new LoginSuccess();
    }

   @Bean
   public LoginFailure loginFailure() {
        return new LoginFailure();
   }
 }




 Login.xhtml

      <form id="login" action='#{request.contextPath}/login' method='POST'>
        <h1>Log In</h1>
        <fieldset id="inputs">
            <input id="j_username" type="text" name="j_username" placeholder="Username" />
            <input id="j_password" type="password" name="j_password" placeholder="Password" />
        </fieldset>
        <fieldset id="actions">
            <input type="hidden" name="${_csrf.parameterName}"  value="${_csrf.token}" />
            <input id="submit" value="Log in" type="submit"  /><a href="">Forgot your password?</a>
        </fieldset>
        <c:if test="${not empty param.login_error}">
        <fieldset id="errors">
            Your login attempt was not successful, try again.<br/>
            Reason: <h:outputText value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
        </fieldset>
        </c:if>
    </form>

Did I miss something in my configuration?

Answer 1

Spring Security 4 supports setting the username and password parameters in case you didn't want to modify your login form, so you could use:

.formLogin()
    .usernameParameter("j_username")
    .passwordParameter("j_password")

See Migrating from Spring Security 3.x to 4.x (XML Configuration)for details on migrating the loginForm http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html#m3to4-xmlnamespace-form-login, and http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html