I have a basic Spring Boot application secured by Spring Security and a form login. When I call a site which needs authentication, the login form appears, which is fine. But after I log in one of the following things happen, seemingly randomly:
- The site appears successfully
- I am redirected to "/" (or default success URL if I set one)
- The login form appears again (and then the whole process is repeated)
Even if the login was successful and the site appears, if I repeat the request the login form can appear (as if I was logged out).
What is even weirder is that my application is deployed multiple times and this only happens in the production deployment, where the only difference is that the database has much more entries.
Can anybody explain why this happens? Is it a timing issue?
My security configuration:
@Configuration
public class LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.csrf().disable();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/webjars/**");
web.ignoring().antMatchers("/js/**");
web.ignoring().antMatchers("/css/**");
web.ignoring().antMatchers("/images/**");
web.ignoring().antMatchers("/public/**");
}
}
I also have a Thymeleaf site in my main controller:
@RequestMapping(value = "/site", method = RequestMethod.GET)
public String site() {
return "site";
}
The file site.html contains some JavaScript, JQuery, Bootstrap and some data:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org">
<head lang="en">
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
<link rel="stylesheet" th:href="@{/webjars/bootstrap/4.6.0/css/bootstrap.min.css}" />
<script th:src="@{/webjars/jquery/jquery.min.js}"></script>
<script th:src="@{/webjars/popper.js/umd/popper.min.js}"></script>
<script th:src="@{/webjars/bootstrap/js/bootstrap.min.js}"></script>
</head>
<body>
...
The problem was that for performance reasons the application way deployed to multiple dynos (containers) on Heroku, so even if I successfully logged in at one dyno, if my next request was delegated to an other dyno, it didn't have the correct session, so it logged me out and gave me a new session.