Describe the bug Using Spring Security with CustomUsernamePasswordAuthenticationFilter is not working with custom Form login in SpringBoot version 3.2.3. It is getting Authenticated but failed to open main page, redirecting to login page again.

I am using SpringBoot version 3.2.3, created CustomUsernamePasswordAuthenticationFilter extending UsernamePasswordAuthenticationFilter. Created CustomAuthenticationManager implementing AuthenticationManager. Created a SecurityConfig bean for SecurityFilterChain. Created a custom login HTML form page. @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { return http .csrf(csrf -> csrf.disable()) .addFilterAt(authenticationFilter(), UsernamePasswordAuthenticationFilter.class) //.authenticationManager(authManager) /*.httpBasic(httpBasicConfigurer -> httpBasicConfigurer.authenticationEntryPoint(loginUrlAuthenticationEntryPoint()))*/ .formLogin(formLogin -> formLogin .loginProcessingUrl("/login") .loginPage("/login.html") .successHandler(successHandler()) .failureHandler(failureHandler())) .logout(logout -> logout.invalidateHttpSession(true).logoutUrl("/logout").logoutSuccessUrl("/login.html?Successful Logout.").deleteCookies("JSESSIONID")) .authorizeHttpRequests(request -> request.requestMatchers(new AntPathRequestMatcher("/login.html")).permitAll()) .authorizeHttpRequests(request -> request.requestMatchers(new AntPathRequestMatcher("/process/**")).authenticated()) .authorizeHttpRequests(request -> request.requestMatchers(new AntPathRequestMatcher("/role/names")).permitAll()) .authorizeHttpRequests(request -> request.requestMatchers(new AntPathRequestMatcher("/**/**")).authenticated()) .authorizeHttpRequests(request -> request.requestMatchers(new AntPathRequestMatcher("/login")).permitAll()) //.httpBasic(Customizer.withDefaults()) .build(); }

When I run it, CustomUsernamePasswordAuthenticationFilter gets called and then CustomAuthenticationManager, Returning the Authentication. But it's not redirecting to the main page. It loads the login page again. When I decrease the SpringBoot version 2.7.18. It is working as expected.

To Reproduce Create a SpringBoot Project with 3.X version, Sample Controller with some API's. Create CustomUsernamePasswordAuthenticationFilter, CustomAuthenticationManager, SecurityConfig, and Login HTML page. Run the Application and try access the authenticated API, it redirects to login page, fill the credentials and submit. It has to give response to API, but it loads login page again.

Change the Spring Boot Version to 2.x (Ex 2.7.18), it works as expected.

Expected behavior

The behavior of SpringBoot 3. X should be the same as 2. X. It should able to authenticate and redirect to main page.

Sample Please check out the project https://github.com/vijaybhaskarreddymedikonda/spring-security-demo Run the app. Try to access http://localhost:8080/process/names. It will redirect to login page. Credentials are pre input, just click on submit. You can see it loads the login page again.

Change the Spring boot version to 2.7.0 in pom.xml, change the jakarta package to javax in CustomUsernamePasswordAuthenticationFilter and run it. Try to access the http://localhost:8080/process/names.

Thanks in Advance

Comment From: marcusdacoregio

Hi, @vijaybhaskarreddymedikonda. Have you searched in our issue tracker for similar problems like your? I found https://github.com/spring-projects/spring-security/issues/14410.

I have not tried your code yet, but looking at CustomUsernamePasswordAuthenticationFilter it seems that you should configure a SecurityContextRepository so your authentication is saved in the HttpSession, like so:

public CustomUsernamePasswordAuthenticationFilter() {
    setSecurityContextRepository(new HttpSessionSecurityContextRepository());
}

Comment From: vijaybhaskarreddymedikonda

Thanks, @marcusdacoregio It's working. But this looks extra in the SpringBoot 3. X, Security 6. X versions. In 2. X and 5. X versions working without this call.