Home/ Questions/Q 4075570
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T17:18:54+00:00

My web application is using Spring Security but it returning a BadCredentialsException when processing

  • 0

My web application is using Spring Security but it returning a BadCredentialsException when processing a form based login. The credentials entered by the user match exactly whats in the database and I don’t see the Spring code that compares the j_password value against that of the Users.getPassword from the db, any ideas on how to troubleshoot this? I want to see what its comparing to throw the BadCredentialsException. When I use a hardcoded Below is an outline of my implementation hoping someone can spot my error. Thanks for the assistance!

public static Users getLoggedInUser() {
    Users user = null;
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null && auth.isAuthenticated()) {
        Object principal = auth.getPrincipal();
        if (principal instanceof Users) {
            user = (Users) principal;
        }
    }
    return user;
}

security context file(removed the xml and schema definitions):

<global-method-security secured-annotations="enabled">
</global-method-security>
<http security="none" pattern="/services/rest-api/1.0/**" />
<http security="none" pattern="/preregistered/**" />
<http access-denied-page="/auth/denied.html">
    <intercept-url
        pattern="/**/*.xhtml"
        access="ROLE_NONE_GETS_ACCESS" />
    <intercept-url
        pattern="/auth/**"
        access="ROLE_ANONYMOUS,ROLE_USER" />
    <intercept-url
        pattern="/auth/*"
        access="ROLE_ANONYMOUS" />
     <intercept-url
        pattern="/**"
        access="ROLE_USER" />
    <form-login
        login-processing-url="/j_spring_security_check.html"
        login-page="/auth/login.html"
        default-target-url="/registered/home.html"
        authentication-failure-url="/auth/login.html?_dc=45" />
    <logout logout-url="/auth/logout.html"
            logout-success-url="/" />
    <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
    <remember-me user-service-ref="userManager" key="valid key here"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager>
    <authentication-provider user-service-ref="userManager">
            <password-encoder ref="passwordEncoder" />
    </authentication-provider>
</authentication-manager>

UserDetails Implementation (Users.java):

public class Users implements Serializable, UserDetails {
    public Collection<GrantedAuthority> getAuthorities() {
     List<GrantedAuthority> auth = new ArrayList<GrantedAuthority>();
    auth.add(new GrantedAuthorityImpl("ROLE_USER"));
    return auth;
}

}

user-service-ref=”userManager” (UserManagerImpl.java):

 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
    Users user = null;
    try {
        user = userDAO.findByUsername(username);
    } catch (DataAccessException ex) {
        throw new UsernameNotFoundException("Invalid login", ex);
    }
    if (user == null) {
        throw new UsernameNotFoundException("User not found.");
    }
    return user;
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It looks like you are storing cleartext password in the database, but using a passwordEncoder in spring-security configuration, which encodes the received password before comparing against the stored one.

    • 0