DEVHIDE
Login Or Sign up

Spring Security forgets authentication or requires multiple login attempts

140 Views Asked by At

I have a basic Spring Boot application secured by Spring Security and a form login. When I call a site which needs authentication, the login form appears, which is fine. But after I log in one of the following things happen, seemingly randomly:

  • The site appears successfully
  • I am redirected to "/" (or default success URL if I set one)
  • The login form appears again (and then the whole process is repeated)

Even if the login was successful and the site appears, if I repeat the request the login form can appear (as if I was logged out).

What is even weirder is that my application is deployed multiple times and this only happens in the production deployment, where the only difference is that the database has much more entries.

Can anybody explain why this happens? Is it a timing issue?

My security configuration:

@Configuration
public class LoginSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .and()
            .csrf().disable();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
            web.ignoring().antMatchers("/webjars/**");
            web.ignoring().antMatchers("/js/**");
            web.ignoring().antMatchers("/css/**");
            web.ignoring().antMatchers("/images/**");
            web.ignoring().antMatchers("/public/**");
    }
}

I also have a Thymeleaf site in my main controller:

    @RequestMapping(value = "/site", method = RequestMethod.GET)
    public String site() {
        return "site";
    }

The file site.html contains some JavaScript, JQuery, Bootstrap and some data:

<!DOCTYPE html>
    <html xmlns="http://www.w3.org/1999/xhtml"
          xmlns:th="http://www.thymeleaf.org">
        <head lang="en">
            <meta charset="utf-8"/>
            <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>

            <link rel="stylesheet" th:href="@{/webjars/bootstrap/4.6.0/css/bootstrap.min.css}" />

            <script th:src="@{/webjars/jquery/jquery.min.js}"></script>
            <script th:src="@{/webjars/popper.js/umd/popper.min.js}"></script>
            <script th:src="@{/webjars/bootstrap/js/bootstrap.min.js}"></script>
        </head>
        <body>
    ...
java spring spring-security thymeleaf webjars
Original Q&A
1

There are 1 best solutions below

1
On

The problem was that for performance reasons the application way deployed to multiple dynos (containers) on Heroku, so even if I successfully logged in at one dyno, if my next request was delegated to an other dyno, it didn't have the correct session, so it logged me out and gave me a new session.

Related Questions in JAVA

Related Questions in SPRING

Related Questions in SPRING-SECURITY

Related Questions in THYMELEAF

Related Questions in WEBJARS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.