Spring-Security : Username is sent empty for login after upgrade to Spring-Security 4.1

Question

I am working on a Spring-MVC based application in which we are using Spring-Security for login, authorization. We were using version 3.2.5 before and the upgrade was 4.1.1.

Answer 1

Probably the problem is that starting from Spring Security version 4.+ parameters names for form login changed their names:

• username instead of j_username
• password instead of j_password
• POST to /login URL instead of /j_spring_security_check

So you should either rename parameters in your login form or override these parameters name using form-login parameters like this:

<form-login login-page="/login"
                    username-parameter="j_username" 
                    password-parameter="j_password" 
                    login-processing-url="/j_spring_security_check" 
                    ..../>

Please take a look at this resourse, it might be helpful for your migration - http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html#m3to4-xmlnamespace-form-login

Answer 2

In your securityApplicationContext.xml add username-parameter="j_username" password-parameter="j_password" as below:

<security:form-login username-parameter="j_username" password-parameter="j_password" login-page="/login" login-processing-url="/j_spring_security_check" default-target-url="/dashboard" always-use-default-target="false" authentication-failure-url="/denied" />