I have a problem with my web application done with spring security, it has a login page:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@ taglib prefix = "form" uri = "http://www.springframework.org/tags/form"%>
<%@ page isELIgnored="false"%>
........

    <link rel="stylesheet" type="text/css" href="https://cdn.usebootstrap.com/bootstrap/4.4.1/css/bootstrap.min.css">
    <link rel="stylesheet" type="text/css" href="resource/css/css-font-awesome.css">
    <link rel="stylesheet" type="text/css" href="resource/css/css-util.css">
    <link rel="stylesheet" type="text/css" href="resource/css/css-fonts.css">
    <link rel="stylesheet" type="text/css" href="resource/css/css-custom.css">
<!--===============================================================================================-->
<meta name="robots" content="noindex, follow">

</head>
<body>
    <c:if test="${not empty error}">
        <div style="color: #ff0000;">Errore nel login controllare username / password</div>
    </c:if>
    <div >
        <div >
            <div >
                <form action="<c:url value="/performlogin"/>" method="post">
                    <div ><img  src="resource/images/images-logo-softpulizie.png"></div>
                    <hr>
                    <br>
                    <div >
                        <input  placeholder="Username" name="username"  id="userid" type="text">
                    </div>
                    <div >
                        <input  placeholder="Password" name="password"  id="pwd" type="password">
                    </div>
                    <div >
                        <div >
                            <span >Hai dimenticato la password?<br>
                            <a href="SOFTPULIZIE.html">Clicca qui</a></span>
                        </div>
                        <div >
                            <button type="submit"  id="login">Login</button>
                        </div>
                    </div>
                </form>
            </div>
        </div>
    </div>

<!--===============================================================================================-->
    <script src="resource/js/3.2.1-jquery.min.js"></script>
    <script src="resource/js/js-bootstrap.min.js"></script>

</body>
</html>

and my configuration class that permits loading url and forwardin to login page is:

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Autowired
    public void configAuthentication(AuthenticationManagerBuilder authBuilder) throws Exception {
        authBuilder
                .jdbcAuthentication()
                .dataSource(dataSource)
                .usersByUsernameQuery("SELECT username, password, enabled FROM Utenti WHERE username = ?")
                .authoritiesByUsernameQuery("SELECT username, role FROM Utenti WHERE username = ?");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf()
                .disable()
                .authorizeRequests().anyRequest().hasAnyRole("USER","ADMIN")
                .and()
                .authorizeRequests().antMatchers("/login**").permitAll()
                .and()
                .authorizeRequests().antMatchers("/resource**").permitAll()
                .and()
                .formLogin()
                .loginPage("/login")
                .loginProcessingUrl("/performlogin")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/home", true)
                .failureUrl("/login?error=true")
                .permitAll()
                .and()
                .logout()
                .logoutUrl("/perform_logout")
                .deleteCookies("JSESSIONID")
                .permitAll();

    }
}

but when loaded the login page it does not load all the css, javascript and images. for the other pages displayed after the login the resources are loaded correctly. The resources are all put in place under the resources folder under src/main/java of my maven project.

What could be the problem?

Thanks

CodePudding user response：

Try removing the multiple .authorizeRequests()...and() and condense to:

.authorizeRequests(authorize -> authorize
  .antMatchers("/login**", "/resource**").permitAll()
  .anyRequest().hasAnyRole("USER","ADMIN")
}
...

Order does matter. Also, you don't want to call .authorizeRequests() multiple times.

You can read more on the latest way to do this (via .authorizeHttpRequests() which uses the new AuthorizationFilter in 5.5) here: Authorize HttpServletRequests with AuthorizationFilter.

If that doesn't work, feel free to update the question and we can see if something else is going on.

CodePudding user response：

I tried to compact as you told, like this:

        http.csrf()
                .disable()
                .authorizeRequests().anyRequest().hasAnyRole("USER","ADMIN")
                .antMatchers("/login**", "/resource**").permitAll()
                .and()
                .formLogin()
                .loginPage("/login")
                .loginProcessingUrl("/performlogin")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/home", true)
                .failureUrl("/login?error=true")
                .permitAll()
                .and()
                .logout()
                .logoutUrl("/perform_logout")
                .deleteCookies("JSESSIONID")
                .permitAll();

but it didn't solve, i am using spring 4.3, it should be a solution also with that version