3

Hey I am having a bit of a mess with my springsecurity based login

I'm keep getting the error "bad credentials"

Here's my user table:

![Usertable][1]

Here's my dataSource from the applicationContext:

<!-- database driver/location -->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <property name="driverClassName" value="com.mysql.jdbc.Driver" />
    <property name="url" value="jdbc:mysql://localhost:3306/ams" />
    <property name="username" value="root" />
    <property name="password" value="root" />
</bean>

and my securityContext:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
              http://www.springframework.org/schema/security 
              http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- <security:http auto-config="true" access-decision-manager-ref="accessDecisionManager"> -->
    <security:http auto-config="true">
        <security:intercept-url pattern="/login/login.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/login/doLogin.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/lib/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <security:form-login login-page="/login/login.do" authentication-failure-url="/login/login.do?login_error=true" default-target-url="/test/showTest.do"/>
        <security:logout logout-success-url="/login/login.do" invalidate-session="true" />
        <security:remember-me key="rememberMe"/>
    </security:http>    


    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource" 
            users-by-username-query="select USERNAME as username, PASSWORD as password, DELETED as deleted from ams.user where USERNAME=?"
            authorities-by-username-query="
                select distinct user.USERNAME as username, permission.NAME as authority 
            from scu.user, scu.user_role, scu.role, scu.role_permission, scu.permission
            where user.ID=user_role.USER_ID AND user_role.ROLE_ID=role_permission.ROLE_ID AND role_permission.PERMISSION_ID=permission.ID AND user.USERNAME=?"/>
            <!-- security:password-encoder ref="passwordEncoder" /> -->
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <constructor-arg value="256" />
    </bean>
</beans>

When i try to login with: admin and init01

it gives me the error bad credentials... =(

ANY suggestions are appreciated!!!

James Carter
  • 849
  • 3
  • 13
  • 29

2 Answers2

4

The password-encoder reference in your authentication-provider is commented out. You need a password encoder if you are using hashed passwords (as you should be). Also check this answer, particularly point 2 about writing a test to make sure the password encoder you are using matches what you have stored in the database.

You might also want to check this answer on using bcrypt as a more secure alternative to plain SHA hashes.

Community
  • 1
  • 1
Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
  • The hash password-encoder is not the problem, i just commented it out so you can see what the "real" password actually is... it doesn't change anything when i use it or when i don't use it – James Carter Feb 20 '13 at 20:01
  • Most likely it is the problem. Without it, it won't work at all and it won't work with it unless the strings it produces match exactly what you have in your database. Hence the links. Check the logs and if in doubt, use a debugger and set a breakpoint [here](https://github.com/SpringSource/spring-security/blob/master/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java#L84). You should also see that log message if the authentication fails because the password doesn't match. – Shaun the Sheep Feb 20 '13 at 20:24
  • I know the hash of init01, (it's the one that's used with the other users) and with it it definitely doesn't work aswell But thanks i'll surely go through that – James Carter Feb 20 '13 at 20:31
  • With a debugger? Add the source jars to your project in your IDE and use standard Java remote debugging. For example, if you're running tomcat, start it with `catalina.sh debug`. Then connect to the process - both Intellij and Eclipse make it very easy. – Shaun the Sheep Feb 20 '13 at 22:04
0

Your passwords are getting hashed. If you add a password 'init01', it actually means the hash of the original password is 'init01' because Spring hashes the supplied password and matches with the one you enter. So SHA('init01') is something other than 'init01'

Vjeetje
  • 5,314
  • 5
  • 35
  • 57
  • Nope, i just wrote it in plain text so you can see what i'm typing in, doesn't change anything when it's crypted... – James Carter Feb 20 '13 at 20:00