Summary
I have switched from https to http by removing server.ssl.* from application.properties and changing the port. In Chrome I also deleted the cookies by clicking next to the URL. I am not able to login anymore.
The login success handler gets called and a JSESSIONID is replied from /login, but the redirect (302) does not work. The request header does not contain JSESSIONID even though it was part of the response header.
Actual Behavior
Login Request:
Request URL: http://localhost:8082/login
Request Method: POST
Status Code: 302
Remote Address: [::1]:8082
Login Response:
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
Content-Length: 0
Date: Tue, 17 Dec 2019 20:06:33 GMT
Expires: 0
Keep-Alive: timeout=60
Location: http://localhost:8082/account/
Pragma: no-cache
--- JSESSIONID - good! ---
Set-Cookie: JSESSIONID=A34E160948D0BBB81EFE06FAE3CA2EBE; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
-------
Console output: No session found!
2019-12-17T21:06:33,104 DEBUG [http-nio-8082-exec-9] o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper: SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@fec7843d: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec7843d: Principal: com.example.web.security.CustomUserDetails@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null;
2019-12-17T21:06:33,129 DEBUG [http-nio-8082-exec-7] o.s.s.w.c.HttpSessionSecurityContextRepository: No HttpSession currently exists
2019-12-17T21:06:33,132 DEBUG [http-nio-8082-exec-7] o.s.s.w.c.HttpSessionSecurityContextRepository: No SecurityContext was available from the HttpSession: null. A new one will be created.
-------
Redirect after successful login:
Request URL: http://localhost:8082/login
Request Method: GET
Status Code: 200
Remote Address: [::1]:8082
Referrer Policy: no-referrer-when-downgrade
--- No JSESSIONID ---
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en;q=0.8
Cache-Control: no-cache
Connection: keep-alive
Host: localhost:8082
Pragma: no-cache
Referer: http://localhost:8082/login
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36
Expected Behavior
Login should work.
Configuration
``` @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests() .antMatchers("/account/admin/").access("hasRole('ADMIN')") .antMatchers("/account/").access("hasRole('USER')") .antMatchers("/**").permitAll() .and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/account/") .failureHandler(customAuthenticationFailureHandler()); } ````
Version
Spring Boot 2.2.2-RELEASE. Affects all chrome versions.
Sample
see above.
Comment From: eleftherias
Thanks for the report @DominikSchulze. I am not able to reproduce this issue, could you please share a minimal sample that reproduces the issue that you are seeing?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.