Spring Security keeps redirecting me to login page
Try with 127.0.0.1 instead of localhost.
Explanation
Your browser doesn't set the JSESSIONID cookie for localhost (see this SO question), so when redirecting after successful login the next request looks not authenticated to the server.
If you use idea and you open the browser clicking on the Services panel, you can add this config in your application-dev.yml to fix that:
server:
address: 127.0.0.1
You configured that all other URLs must be authenticated, see Spring Security Reference:
Authorize Requests
Our examples have only required users to be authenticated and have done so for every URL in our application. We can specify custom requirements for our URLs by adding multiple children to our
http.authorizeRequests()method. For example:protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() 1 .antMatchers("/resources/**", "/signup", "/about").permitAll() 2 .antMatchers("/admin/**").hasRole("ADMIN") 3 .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") 4 .anyRequest().authenticated() 5 .and() // ... .formLogin(); }1 There are multiple children to the http.authorizeRequests() method each matcher is considered in the order they were declared.
2 We specified multiple URL patterns that any user can access. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".
3 Any URL that starts with "/admin/" will be restricted to users who have the role "ROLE_ADMIN". You will notice that since we are invoking the hasRole method we do not need to specify the "ROLE_" prefix.
4 Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA". You will notice that since we are using the hasRole expression we do not need to specify the "ROLE_" prefix.
5 Any URL that has not already been matched on only requires that the user be authenticated