Getting Bad credentials error messages when using form-login and UserDetailsService

[newguy]

Hi

I am getting an error saying

Login failed, try again.
Reason: Bad credentials

when I try to login to my web application.

My project is a Roo project so there are some aspectj files and other configuration files that I don't want to post out just to avoid confusion and save space.

After I press submit button to login it redirects me to the "/login?login_error=t" which is the authentication-failure-url specified in the form-login element and shows the bad credentials error.

Here is the configuration:

applicationContext-security.xml

Code:

<http auto-config="true" use-expressions="true">
        <intercept-url pattern="/login" access="permitAll" requires-channel="https"/>
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/static/**" access="permitAll" />
           <form-login login-page="/login" 
              authentication-failure-url="/login?login_error=t"/>
        <logout />
	<remember-me />
</http>
	
<authentication-manager alias="myAuthenticationManager">
	<authentication-provider user-service-ref="userDetailsService"/>
</authentication-manager>

<beans:bean id="userDetailsService"
	  class="service.JpaUserDetailsService" />

login.jspx

Code:

    <spring:url value='/j_spring_security_check' var="form_url"/> 
    <!-- Login form -->
    <form name="f" action="${form_url}" method="POST"> 
        <input id="j_username" type="text" name="j_username"/>
	<span class="submit">
		<spring:message code="button.submit" var="submit_label"/>
		<input id="proceed" type="submit" value="${submit_label}"/>
	 </span>
    </form>

JpaUserDetailsService:

Code:

	@Override
	public UserDetails loadUserByUsername(final String username)
		throws UsernameNotFoundException
	{
		final Query query = Person.findPeopleByUsernameEquals(username); // Using aspectj method
		try { 
			final Person user = (Person) query.getSingleResult();
			final Set<GrantedAuthority> roles = new HashSet<GrantedAuthority>();
			for (Privilege role : user.getRoles()) {
				roles.add(new GrantedAuthorityImpl(role.getName()));
			}
			if (LOGGER.isDebugEnabled()) {
				LOGGER.debug(
					"User " + user.getFullName() + " has roles = " + roles);
			}
			return new NormalUser(user, roles); // NormalUser is a class extends User
		}
		catch (EmptyResultDataAccessException e) {
			throw new UsernameNotFoundException("No user called " + username, e);
		}
		catch (EntityNotFoundException e) {
			throw new UsernameNotFoundException("No user called " + username, e);
		}
		catch (NonUniqueResultException e) {
			throw new IllegalStateException("Multiple users called " + username, e);
		}
	}

Debug information shows that the code can show the user's full name and its roles, but I get that bad credentials error so I can't login to the web application, any idea why this would happen?

[newguy]

I've found out the problem after reading some chapters in the book Spring Security 3 written by Peter Mularien. The bad credentials error is thrown if the username doesn't exist or the username and password doesn't match.

In my case the username is correct because it is in the database. But there is no password field in the database because my web app was previously using OpenID for authentication.

So there is no password field in my login.jspx or my NormalUser.

In my NormalUser class the constructor uses "N/A" as the password for its super class constructor

Code:

User(String username, String password, boolean enabled, boolean accountNonExpired,
            boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities)

.

So I just need to add this to login.jspx to match what I put in NormalUser as the password and it solves my problem.

Code:

<input id="j_password" type="hidden" name="j_password" value="N/A"/>