I am working on a springMVC project in which the user authentication is based on spring security.
the idea is to have a mobile (android) application to be able to send some sort of data to backend.
So before get my hand dirty into android developing I decided to mock the situation of login form using cURL.
the login form in our site is as following :
http://localhost:8080/app/user/login
and I use following command :
curl -F 'username=admin&password=admin' http://localhost:8080/app/user/login
but yet I will get login page in other words I am not able to pass user authentication based on a mock up situation.
just to note : for every request the spring secure will create a randomize token something similar to :
8863F732ADDE24CD167F4EF502A4333D
how should I pass login form based on spring security using mock situation (either cURL or HTTPClient)
Use
cURLlike this:CSRF
If you get something like
Expected CSRF token not found. Has your session expired?that means that CSRF token protection is enabled. To test it with cURL you need a cookie and a CSRF token itself.The following command will write all cookies to a file named
cookieand print out the CSRF token. Spring Security default token parameter name is_csrf, if you’ve changed it then you need to changegrep csrfalso.Then you can execute next command which will pass all cookies from file. Don’t forget to replace
|your_token_value|with an actual value which is printed out by the previous command (and_csrfparameter name if you’ve changed it).From Spring Security 3.x to 4.x
Note that in Spring Security 4.x default value for
login-processing-urlchanged from/j_spring_security_checkto POST/login, default value forusername-parameterchanged fromj_usernametousernameand default value forpassword-parameterchanged fromj_passwordtopassword. If an application explicitly provides these attributes, no action is required for the migration.