new Authorization Server Custom Login Page

Question

I am using new Spring Authorization Server

<dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-authorization-server</artifactId>
        <version>0.2.3</version>
    </dependency>

I wan to configure custom login page. I have two beans configured

AuthorizationServerConfig.java

   @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);

        return http.cors(Customizer.withDefaults())
                .formLogin()
                .and().build();
    }

SecurityConfig.java

 @Bean
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                .cors(withDefaults())
                .authorizeRequests(authorizeRequests ->
                        authorizeRequests.mvcMatchers("/custom-login", "/css/**", "/js**", "/image/**").permitAll().anyRequest().authenticated()
                )
                .formLogin()
                .loginPage("/custom-login").failureForwardUrl("/custom-login?error");
        return http.build();
    }

Whenever User enter incorrect credentials is not being directed to /custom-login?error He is directed to /custom-login

I seems .failureForwardUrl("/custom-login?error"); is not working

If don't use custom login page user is being directed to /login?error=some-error

Can someone help to solve this problem?

Answer 1

I solved the problem.

I changed the configuration to

AuthorizationServerCOnfig.java

@Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);

        return http
                .cors(Customizer.withDefaults())
                .formLogin().loginPage("/custom-login").failureForwardUrl("/custom-login?error=true")
                .and()
                .build();
    }

SecurityConfig.java

  @Bean
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                .cors(withDefaults())
                .formLogin().failureForwardUrl("/custom-login")

        return http.build();
    }

I added LoginController.java to handle custom-login redirects.

@Controller
public class LoginController {
    @GetMapping("/custom-login")
    public String login() {
        return "login";
    }


    @PostMapping("/custom-login")
    public String loginFailed() {
        return "redirect:/authenticate?error=invalid username or password";
    }
}

If you don't specify those end points. you will be redirected to /login

Also I had both

<dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
    </dependency>

And

<dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-authorization-server</artifactId>
            <version>0.2.3</version>
        </dependency>

My service was both authorization server and resource server at the same time. So I removed

  <dependency>
          <groupId>org.springframework.boot</groupId>
          <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
        </dependency>

And every thing works expectedly