is the java-spring-security-mvc 06-rules example broken ?

Hi,

I downloaded the following ( which came pre-loaded with the default clients keys and credentials )

https://auth0.com/docs/quickstart/webapp/java-spring-security-mvc/06-rules

the default client has the correct callback and logout urls for the demo

when I attempt to login, I can see the following in the logs

  1. Success Exchange Authorization Code for Access Token 4 minutes ago Default App
  2. Success Login example@gmail.com 4 minutes ago Username-Password-Authentication Default App
  3. API Operation Update a user 4 minutes ago
  4. Success Exchange Client Credentials for Access Token 4 minutes ago auth0-authz

When I inspect the user example@gmail.com I can see that the correct role has been added to the meta data

{
“roles”:
“ROLE_ADMIN”
]
}

However, after the login the browser gets stuck in an infinite loop to the login page and i get a

GET http://localhost:3099/login net::ERR_TOO_MANY_REDIRECTS

I added debug to the home.jsp page but it never appears to get there ( tried this in chrome and firefox on linux)

Is this example broken or am I missing something ?

is there any chance that someone could have a look at this, I have added debug statements in

  • login controller - nothing
  • home controller - nothing
  • call back controller - nothing

where nothing means it does not appear to be getting called ?

Getting exactly the same error following

https://auth0.com/docs/quickstart/webapp/java-spring-security-mvc/01-login

again I can see a sucessfull login for the user but the browser ends up in a redirect loop with

GET http://localhost:3099/login net::ERR_TOO_MANY_REDIRECTS

I can’t repro the issue and it’s working fine. I followed this steps:

  1. Created a new Client of Type “Regular Web Application” with Token Endpoint Authentication Method “POST”.
  2. Added Callback URL http://localhost:3099/callback to the allowed callback URLs.
  3. Added Logout URL http://localhost:3099/logout to the allowed logout URLs.
  4. Checked the Algorithm used by the client to sign the tokens in “Advanced Settings” → “OAuth”. In my case it was HS256.
  5. Pressed “SAVE CHANGES” button on the bottom of the page.
  6. Created a new Rule that sets ROLE_USER and ROLE_ADMIN roles in the app_metadata property of the user profile. (Snippet found on the article you’ve shared).
  7. Make sure I was logged in before clicking the Download Sample button, so the credentials get replaced automatically. Anyway, you should manually check in the auth0.properties file that the client_id, client_secret, domain, and algorithm are correct (as configured in your client).
  8. Run the app. Try to open http://localhost:3099. I’m redirected to Auth0’s login page. Put my credentials and the /portal/home page is shown.

I’m pretty sure the error you’re having is that the role doesn’t match the one required by the security configuration. Start by commenting the antMatcher lines in order to discard other cases like allowed for everyone, requires authentication, and later requires authority. Another way to debug it is to put a breakpoint in Auth0UserDetails#setupGrantedAuthorities to understand how the roles are parsed from the profile. Lastly, you can always use the Chrome Web Tools to inspect the network requests and see if the info is valid or not.

Thank you very much !!!

Actually the problem was in using the default client, once I created a new client it worked exactly as intended. The rules were fine.

I went back to the default client and adjusted the following settings

client type - regular web application

token endpoint authentication method - post

Still wasn't working.

But very happy to have a working version of the code !!

Thanks Again.