Hello my name is Andre and I am having trouble with a Spring Boot Project with Spring Security using two different login pages. The main problem right now is that the application is throwing this error: o.s.s.a.dao.DaoAuthenticationProvider : Failed to authenticate since password does not match stored values
Both users and admins are stored in Postgres, have implemented getAuthorities()
Users login just fine BUT Admins fail to authenticate, I have a CustomUserDetails and CustomUserDetailsService Class
My code:
class MuliSecurityConfiguration
{
@Autowired
private CustomUserDetailsService customUserDetailsService;
public MuliSecurityConfiguration(CustomUserDetailsService customUserDetailsService)
{
this.customUserDetailsService = customUserDetailsService;
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception
{
return authenticationConfiguration.getAuthenticationManager();
}
@Bean
public PasswordEncoder getPasswordEncoder() { return NoOpPasswordEncoder.getInstance(); }
@Bean
public SecurityFilterChain filterChainRed(HttpSecurity http) throws Exception
{
http.csrf((csrf) -> csrf.disable());
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/admin", "/admin/managerLogin", "/admin/managerError").permitAll()
.requestMatchers("/CSS/**").permitAll()
.requestMatchers("/IMAGES/**").permitAll()
.requestMatchers("/JAVASCRIPT/**").permitAll()
.requestMatchers("/admin/managerHome").hasRole("ADMIN")
.anyRequest().authenticated()
)
.formLogin(formLogin ->
formLogin
.loginPage("/admin/managerLogin.html").permitAll()
.loginProcessingUrl("/admin/managerLogin").permitAll()
.defaultSuccessUrl("/admin/managerHome", true)
.failureUrl("/admin/managerError.html").permitAll()
)
.logout(logout -> logout
.logoutUrl("/admin/managerLogout.html").permitAll()
.logoutSuccessUrl("/admin/managerLogin.html")
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.permitAll()
);
return http.build();
}
@Bean
public SecurityFilterChain filterChainBlue(HttpSecurity http) throws Exception
{
http.csrf((csrf) -> csrf.disable());
http.authorizeHttpRequests((authorize) -> authorize
.requestMatchers( "/", "/user/index", "/user/error").permitAll()
.requestMatchers("/CSS/**").permitAll()
.requestMatchers("/IMAGES/**").permitAll()
.requestMatchers("/JAVASCRIPT/**").permitAll()
.requestMatchers("/user/home").hasRole("EMPLOYEE")
.anyRequest().authenticated()
)
.formLogin(formLogin ->
formLogin
.loginPage("/user/index.html").permitAll()
.loginProcessingUrl("/user/index").permitAll()
.defaultSuccessUrl("/user/home", true)
.failureUrl("/user/error.html").permitAll()
)
.logout(logout -> logout
.logoutUrl("/user/logout").permitAll()
.logoutSuccessUrl("/")
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.permitAll()
);
return http.build();
}
}
}
public class CustomUserDetails implements UserDetails
{
private BigInteger employeeid;
private String role;
private boolean enabled;
private String username;
private String jobtitle;
private String firstname;
private String lastname;
private String phone;
private String email;
private String password;
private Timestamp datehired;
private Timestamp datefired;
public CustomUserDetails(BigInteger employeeid, String role, boolean enabled, String username, String jobtitle,
String firstname, String lastname, String phone, String email, String password,
Timestamp datehired, Timestamp datefired)
{
this.employeeid = employeeid;
this.role = role;
this.enabled = enabled;
this.username = username;
this.jobtitle = jobtitle;
this.firstname = firstname;
this.lastname = lastname;
this.phone = phone;
this.email = email;
this.password = password;
this.datehired = datehired;
this.datefired = datefired;
}
public BigInteger getEmployeeid(){return employeeid;}
public String getRole() {return role;}
public void setRole(String role){this.role = role;}
@Override
public Collection<? extends GrantedAuthority> getAuthorities()
{
List<GrantedAuthority> list = new ArrayList<GrantedAuthority>();
list.add(new SimpleGrantedAuthority(getRole()));
return list;
}
@Override
public String getUsername() {return username;}
public String getJobtitle() {return jobtitle;}
public String getFirstname() {return firstname;}
public String getLastname() {return lastname;}
public String getPhone() {return phone;}
public String getEmail() {return email;}
@Override
public String getPassword() {return password;}
public Timestamp getDatehired() {return datehired;}
public Timestamp getDatefired() {return datefired;}
@Override
public boolean isAccountNonExpired() {return true;}
@Override
public boolean isAccountNonLocked() {return true;}
@Override
public boolean isCredentialsNonExpired() {return true;}
@Override
public boolean isEnabled() {return true;}
@Override
public String toString()
{
return "employeeid:" + employeeid + "," +
"role:" + role + "," +
"enabled:" + enabled + "," +
"username:" + username + "," +
"jobtitle:" + jobtitle + "," +
"firstname:" + firstname + "," +
"lastname:" + lastname + "," +
"phone:" + phone + "," +
"email:" + email + "," +
"password:" + password + "," +
"datehired:" + datehired + "," +
"datefired:" + datefired ;
}
}
@Service
public class CustomUserDetailsService implements UserDetailsService
{
User someUser;
@Autowired
private UserRepository userRepository;
public CustomUserDetailsService(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Override
public CustomUserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
someUser = userRepository.findByUsername(username);
if (someUser == null)
{
System.out.println("From CustomUserDetailsservice: Username or Password not found!");
throw new UsernameNotFoundException("Username or Password not found!");
}
System.out.println("Custom User Details 2: " + someUser.toString());
return new CustomUserDetails(someUser.getEmployeeid(), someUser.getAuthorities(), someUser.isEnabled(), someUser.getUsername(), someUser.getJobtitle(),
someUser.getFirstname(), someUser.getLastname(), someUser.getPhone(), someUser.getEmail(), someUser.getPassword(),
someUser.getDatehired(), someUser.getDatefired());
}
}
I am using Spring Boot v3.3.0-RC1 and Spring Security 6.1.6. I am using a Windows 11 HP laptop, Postgres 16 on a local host, regular HTML web pages via Tomcat Server (NOT Thymeleaf or any other templating engine) and the Fetch API to retrieve data from the database.
Desired Behavior: Both users/employees and admins should be able to login and get to their respective home pages
Specific Problem: admin login does not work because of failed authentication for the admin, password does not match stored values
BUT I checked and the submitted password does match the password in the database
Specific Error: Web App goes to the error page which says “Bad Credentials”
Any ideas will be appreciated about why one set of users can login but another set of users with a different set of roles can’t get authenticated when all types of users are stored in the same database table and all types of users are eighter an EMPLOYEE OR AN ADMIN