Skip to content

Fix Spring Security form-login to use legacy j_username/j_password parameters #375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rvosa merged 2 commits into from
Jan 11, 2026
Merged

Fix Spring Security form-login to use legacy j_username/j_password parameters #375

rvosa merged 2 commits into from
Jan 11, 2026
+219 −0

Conversation

Copy link
Contributor

Copilot AI commented Jan 11, 2026
edited
Loading

Login authentication was failing after Spring Security 5 migration. The login form uses j_username and j_password (legacy J2EE convention), but Spring Security 5 defaults to username and password.

Changes

  • treebase-security.xml / top-security.xml: Added explicit username-parameter and password-parameter attributes to <security:form-login>
<security:form-login
    login-page="/login.jsp"
    login-processing-url="/j_security_check"
    username-parameter="j_username"
    password-parameter="j_password"
    .../>
  • DelegatingPasswordEncoderTest.java: Added 12 unit tests covering BCrypt encoding, legacy plain text matching, and password upgrade detection

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • getahead.org
    • Triggering command: /opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/xml/tools/xml-extractor.jar --fileList=/home/REDACTED/work/treebase/.codeql-scratch/dbs/java/working/files-to-index14661147682892954639.list --sourceArchiveDir=/home/REDACTED/work/treebase/.codeql-scratch/dbs/java/src --outputDir=/home/REDACTED/work/treebase/.codeql-scratch/dbs/java/trap/java (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

The password authentication system isn't working. I have a user/pass combo. I am able to go through the whole password reset workflow. But then when I try to log in, I can't. You need to do a comprehensive analysis of the initial login procedure:

  • how are the user name and password being parsed from the request?
  • is the password being encrypted correctly?
  • is the encrypted password being checked against the database correctly?
  • doe the logic to deal with legacy, unencrypted passwords work and not interfere?

Do a comprehensive analysis before you start patching. Ask questions if you need to. Run tests.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@rvosa
Fix Spring Security form-login parameter names for username/password
4540c16 
Co-authored-by: rvosa <106490+rvosa@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix password authentication system issues Fix Spring Security form-login to use legacy j_username/j_password parameters Jan 11, 2026
Copilot AI requested a review from rvosa January 11, 2026 13:35
@rvosa rvosa marked this pull request as ready for review January 11, 2026 13:40
@rvosa rvosa merged commit abf202e into master Jan 11, 2026
3 checks passed
@rvosa rvosa deleted the copilot/analyze-login-authentication-issues branch January 11, 2026 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rvosa rvosa Awaiting requested review from rvosa

Assignees

@rvosa rvosa

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rvosa