i have a problem with spring-security configuration..
I'm working with spring 3.2.3 release, and i have the following spring-security.xml:
<http pattern="/login*" security="none"/>
<http auto-config="true">
<intercept-url method="GET" pattern='/**' access='ROLE_ADMIN' />
<form-login login-page="/login.ctx" default-target-url="/private/home.ctx" authentication-failure-url="/loginfailure.ctx" />
<logout invalidate-session="true" logout-success-url="/logout.ctx" />
</http>
The login autenticathe work fine, but if i call a service without authentication, the security allow to retrieve data, is not what I expected!
Example:
1 - Run the application on Jboss
2 - invoke this url: http://localhost:8080/ContextPanel/application/1 (this call a web services)
The url at point 2, invoke a service and return the required data, but the autentication at the application is not be performed!!
I would avoid this behavior!!
This is a snippet of web.xml:
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Related
When attempting to add spring-session to an existing Spring MVC project with spring-security, I get the following behavior (EDIT: with tomcat's session-timeout set to 1 minute for testing):
With the springSessionRepositoryFilter filter in web.xml commented-out, I am correctly booted to the login screen after a minute of inactivity
With the springSessionRepositoryFilter filter in web.xml active, I can continue to use the app at least 5 minutes after the last activity
Besides that, everything seems to work as expected - the session is persisted in redis & across webapp restarts, and logging out manually correctly invalidates the session.
Some snippets of my configuration - here is the invalid session handler configuration for spring-security, that will cause expired sessions to be redirected to a login page:
...
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository">
<beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
</beans:constructor-arg>
<beans:property name="invalidSessionStrategy">
<beans:bean class="my.CustomInvalidSessionStrategy"/>
</beans:property>
</beans:bean>
...
<http>
...
<custom-filter position="SESSION_MANAGEMENT_FILTER" ref="sessionManagementFilter"/>
...
<logout delete-cookies="true" invalidate-session="true" logout-url="/signout.html" success-handler-ref="logoutSuccessHandler"/>
</http>
The web.xml 's filter chain looks like:
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
And (one of) the spring context files loaded contains:
<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>
<bean class="org.springframework.security.web.session.HttpSessionEventPublisher"/>
<bean class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory"/>
Hopefully I'm just missing something really obvious!
Edit: The versions I used for the attempt was spring-security-4.0.4.RELEASE and spring-session-1.1.1.RELEASE
When using Redis session timeout is configured like this:
<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration">
<property name="maxInactiveIntervalInSeconds" value="10"></property>
</bean>
We develop a web application that need different authentication, in my case this is agent and member. This is the detail:
Agent profile page is at http://my.local/spring-security-hello-world/agent/profile
Member profile page is at http://my.local/spring-security-hello-world/member/profile
Both of pages are filtered by springSecurityFilterChain
But i have some issues here. First I login at agent profile page, and successfully logged in. But then I open the member page, and I got HTTP Status 403 - Access is denied. The situation i want to achieve is both agent and member is able to logged in.
Here is my web.xml
<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>spring-security-hello-world</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/mvc-dispatcher-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
And this is my spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!-- <http pattern="/agent/login" security="none" /> -->
<http pattern="/member/**">
<intercept-url pattern="/**" access="ROLE_MEMBER" />
<form-login login-page="/member_login" default-target-url="/member/profile"
authentication-failure-url="/member_loginfailed" />
<logout logout-success-url="/member_logout" />
</http>
<http auto-config="true">
<intercept-url pattern="/agent/**" access="ROLE_AGENT" />
<form-login login-page="/agent_login" default-target-url="/agent/profile"
authentication-failure-url="/agent_loginfailed" />
<logout logout-success-url="/agent_logout" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="agent" password="123456" authorities="ROLE_AGENT" />
</user-service>
</authentication-provider>
<authentication-provider>
<user-service>
<user name="member" password="123456" authorities="ROLE_MEMBER" />
</user-service>
</authentication-provider>
</authentication-manager>
Notes:
In my case one user must only have one role (either agent or member only)
If you do it in the same browser then your Agent with ROLE_AGENT is used to access page which is restricted to ROLE_MEMBER. You can add ROLE_MEMBER to your access="ROLE_AGENT, ROLE_MEMBER" to check it.
i'm developing login page with spring security but when I start my project automatically redirected to the login page. I've a in my web.xml with redirect to index.xhtml, why is redirect to login.xhtml?
web.xml
<web-app >
<display-name>AirTour</display-name>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<!-- SPRING -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/conf/applicationContext.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<!-- SPRING SECURITY -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- JSF -->
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
</web-app>
applicationContext.xml
<bean id="userDetailsManager" class="org.springframework.security.provisioning.JdbcUserDetailsManager">
<property name="dataSource" ref="dataSource"></property>
</bean>
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
<bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<property name="userPropertyToUse" value="username"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userDetailsManager">
<security:password-encoder ref="passwordEncoder">
<security:salt-source ref="saltSource"/>
</security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<security:http >
<security:intercept-url pattern="/user/*" access="ROLE_USER"/>
<security:intercept-url pattern="/comp/*" access="ROLE_COMP"/>
<security:intercept-url pattern="/admin/*" access="ROLE_ADMIN"/>
<security:intercept-url pattern="/*" access="ROLE_ANONIMOUS,ROLE_USER,ROLE_COMP,ROLE_ADMIN"/>
<security:form-login login-page="/login"/>
</security:http>
It looks like you've made a spelling mistake in your spring security config. Replace ROLE_ANONIMOUS with ROLE_ANONYMOUS:
<security:intercept-url pattern="/*" access="ROLE_ANONYMOUS,ROLE_USER,ROLE_COMP,ROLE_ADMIN"/>
Change your last intercept-url to this:
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
Also use auto-config in security:http.
<security:http auto-config="true">
I am somewhat new to spring security and I am trying to migrate an existing application from security 2.0.4 to 3.1 and I am getting the following error message:
org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'org.springframework.security.authentication.dao.DaoAuthenticationProvider#0': Initialization of bean failed;
nested exception is org.springframework.beans.ConversionNotSupportedException:
Failed to convert property value of type org.springframework.security.authentication.dao.DaoAuthenticationProvider'
to required type 'org.springframework.security.core.userdetails.UserDetailsService' for property 'userDetailsService';
nested exception is java.lang.IllegalStateException: Cannot convert value of type [org.springframework.security.authentication.dao.DaoAuthenticationProvider]
to required type [org.springframework.security.core.userdetails.UserDetailsService]
for property 'userDetailsService': no matching editors or conversion strategy found
I feel like I am missing something obvious but I can't for the life of me see it.
This is my applicationContextSecurity.xml file
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd">
<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="employeeServiceFacade"/>
<beans:property name="passwordEncoder" ref="passwordEncoderDecoder"/>
<beans:property name="hideUserNotFoundExceptions" value="false" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="daoAuthenticationProvider"/>
</authentication-manager>
<global-method-security secured-annotations="disabled"/>
<beans:bean id="customAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.action"/>
</beans:bean>
<beans:bean id="customAuthenticationProcessingFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationFailureHandler" ref="failureHandler" />
<beans:property name="authenticationSuccessHandler" ref="successHandler" />
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="allowSessionCreation" value="true" />
<beans:property name="sessionAuthenticationStrategy" ref="sas"/>
</beans:bean>
<beans:bean id="successHandler" class="com.es.tms.web.security.RoleBasedTargetUrlResolver" >
<beans:property name="defaultTargetUrl" value="/timesheet/searchTimeEntries.action" /> <!-- which is the default value -->
<beans:property name="roleNameToUrlMap">
<util:map>
<beans:entry key="ROLE_ASSISTANT" value="/billing/viewBillings.action"/>
<beans:entry key="ROLE_BILLING" value="/expenses/viewToAPApproveExpenses.action"/>
<beans:entry key="ROLE_PAYROLL" value="/payroll/viewPayroll.action"/>
<beans:entry key="ROLE_OFFICEASSISTANTEXPENSES" value="/expenses/searchExpenseEntries.action"/>
<beans:entry key="ROLE_ADMIN_LEVEL1" value="/administration/searchEmployees.action"/>
<beans:entry key="ROLE_ADMIN" value="/administration/searchEmployees.action"/>
<beans:entry key="ROLE_ADMIN_ASSISTANT" value="/administration/searchEmployees.action"/>
<beans:entry key="ROLE_ACCOUNT_MANAGER" value="/administration/searchEmployees.action"/>
<beans:entry key="ROLE_HR" value="/administration/searchEmployees.action"/>
<beans:entry key="ROLE_RECRUITER_MANAGER" value="/administration/searchEmployees.action"/>
</util:map>
</beans:property>
<beans:constructor-arg ref="defaultTargetUrlResolver" />
</beans:bean>
<beans:bean id="defaultTargetUrlResolver" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" />
<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" >
<beans:property name="defaultFailureUrl" value="/login.action?login_error=true" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<beans:property name="migrateSessionAttributes" value="true" />
</beans:bean>
<!-- Non Secured patterns -->
<http security="none" pattern="/images/**" />
<http security="none" pattern="/styles/**" />
<http security="none" pattern="/scripts/**" />
<http security="none" pattern="/common/**" />
<http auto-config="false" entry-point-ref="customAuthenticationEntryPoint" access-denied-page="/forbidden.jsp">
<custom-filter position="FORM_LOGIN_FILTER" ref="customAuthenticationProcessingFilter" />
<!-- SECURITY URLs -->
<intercept-url pattern="/login.action*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/index.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/error*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<logout logout-success-url="/login.action"/>
<anonymous username="Guest" granted-authority="ROLE_ANONYMOUS"/>
<remember-me/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="employeeServiceFacade">
<password-encoder ref="passwordEncoderDecoder"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="passwordEncoderDecoder" class="com.es.tms.util.CustomPasswordEncoder"/>
<beans:bean id="employeeServiceFacade" class="com.es.tms.service.security.EmployeeServiceFacade">
<beans:property name="coreService" ref="coreService"/>
<beans:property name="hireStatusCodes" value="O:SOP's have not been completed#P:Survey has not been completed" />
</beans:bean>
</beans:beans>
Also this is my web.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="stanplus" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>TMS</display-name>
<!-- Define the basename for a resource bundle for I18N -->
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>app_resources</param-value>
</context-param>
<!-- Fallback locale if no bundles found for browser's preferred locale -->
<!-- Force a single locale using param-name 'javax.servlet.jsp.jstl.fmt.locale' -->
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.fallbackLocale</param-name>
<param-value>en</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContextMail.xml
/WEB-INF/applicationContextDao.xml
/WEB-INF/applicationContextService.xml
/WEB-INF/applicationContextWeb.xml
/WEB-INF/applicationContextReports.xml
/WEB-INF/applicationContextQuartz.xml
/WEB-INF/applicationContextSecurity.xml
</param-value>
</context-param>
<!-- Filters -->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>sitemesh</filter-name>
<filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class>
</filter>
<filter>
<filter-name>struts-cleanup</filter-name>
<filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
</filter>
<filter>
<filter-name>struts</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter>
<filter-name>lazyLoadingFilter</filter-name>
<filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>lazyLoadingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>struts-cleanup</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>struts</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<!-- Listeners -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>net.sf.navigator.menu.MenuContextListener</listener-class>
</listener>
<!-- Servlets -->
<servlet>
<servlet-name>jspSupportServlet</servlet-name>
<servlet-class>org.apache.struts2.views.JspSupportServlet</servlet-class>
<load-on-startup>5</load-on-startup>
</servlet>
<!-- Welcome file lists -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.jsp</location>
</error-page>
</web-app>
Any help would be much appreciated.
Thanks,
Steve
Update:
Ok I looked at this example and I did see that I had my authentication manager incorrect. So I fixed that but now I can't' seem to get by this error:
org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'daoAuthenticationProvider'
defined in ServletContext resource [/WEB-INF/applicationContextSecurity.xml]:
Cannot resolve reference to bean 'employeeServiceFacade' while setting bean property 'userDetailsService';
nested exception is org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'employeeServiceFacade'
defined in ServletContext resource [/WEB-INF/applicationContextSecurity.xml]:
Initialization of bean failed; nested exception is
org.springframework.beans.factory.BeanInitializationException:
Property 'coreService' is required for bean 'employeeServiceFacade'
I have not changed my coreServie in this upgrade but it almost looks like it has not been initialized? Any thoughts?
My coreService is set in the applicationContextService.xml file.
I have an applicationContextService.xml file that contains this bean. When I walk through it at startup in debug I see that the service is initialized, but for some reason still thinks it is not set. I took the #Required annotation off of the coreService in the EmployeeServiceFacade class and now it seems to be working. Don't understand why but I can at least run my app now. Thanks for the responses it at least got me looking in the right direction.
I am integrating spring security with my web project which uses sitemesh. I am able to bring the login page but after authentication it is not redirecting to target-url.
Below is my web.xml from web project.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:applicationContext-persistance.xml
classpath*:applicationContext.xml
classpath:spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!--
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/*.app</url-pattern>
</servlet-mapping>
-->
<!-- <servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/index.html</url-pattern>
</servlet-mapping>
-->
<!-- Sitemesh -->
<filter>
<filter-name>sitemesh</filter-name>
<filter-class>
com.opensymphony.module.sitemesh.filter.PageFilter
</filter-class>
</filter>
<!-- <filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/app/*</url-pattern>
</filter-mapping> -->
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--<welcome-file-list><welcome-file>index.jsp</welcome-file></welcome-file-list>-- >
</web-app>
Below is spring-security.xml from AppSecurity project.
<security:http auto-config="true" use-expressions="true">
<security:form-login login-page="/login"
default-target-url="/index.html" always-use-default-target="true"
authentication-failure-url="/loginfailed"
authentication-success-handler-ref="postSuccessAuthHandler" />
<security:logout invalidate-session="true" logout-success-url="/app" />
<!-- <security:remember-me /> -->
<security:intercept-url pattern="/app" access="isAuthenticated()" />
<security:intercept-url pattern="/app/**" access="isAuthenticated()" />
<!-- <security:intercept-url pattern="/acct/app"
access="isAuthenticated()" /> -->
</security:http>
<!--<bean id="postSuccessAuthHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthentication SuccessHandler">
<property name="defaultTargetUrl" value="/index.html" />-->
I have my loginpage.jsp is in webapp\WEB-INF\views, which is decorated by sitemesh -
<div id="mainNav"><div class="navWrapper">
<ul>
<li class="${fn:startsWith(menuPath, 'M')? 'selected':'first'}"><a
href="${pageContext.request.contextPath}/index.html"><spring:message
code="mnu.home" /></a></li>
LoginController.java which handles this is -
#RequestMapping(value = "/login", method = RequestMethod.GET)
public String login(ModelMap model) {
return "loginpage";
}
So the issue here is on accessing the url - http://localhost:8080/acct/app, it shows login page. After successful authentication it's trying to redirect to http://localhost:8080/acct/app. Not sure why it happens instead of to /index.html as mentioned in default-target-url.
Log lines from tomcat shows -
DEBUG: org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'appServlet' processing GET request for
[/acct/login]
DEBUG: org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping - Mapping [/login] to HandlerExecutionCh
ain with handler [com.mycomp.security.controller.LoginController#1e5348f] and 2 interceptors
DEBUG: org.springframework.web.servlet.DispatcherServlet - Last-Modified value for [/acct/login] is: -1
DEBUG: org.springframework.web.bind.annotation.support.HandlerMethodInvoker - Invoking request handler method: public java.lan
g.String com.mycomp.security.controller.LoginController.login(org.springframework.ui.ModelMap)
DEBUG: org.springframework.web.servlet.DispatcherServlet - Rendering view [org.springframework.web.servlet.view.JstlView: name
'loginpage'; URL [/WEB-INF/views/loginpage.jsp]] in DispatcherServlet with name 'appServlet'
DEBUG: org.springframework.web.servlet.view.JstlView - Forwarding to resource [/WEB-INF/views/loginpage.jsp] in InternalResour
ceView 'loginpage'
DEBUG: org.springframework.web.servlet.DispatcherServlet - Successfully completed request
DEBUG: org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'appServlet' processing GET request for
[/acct/app]
WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/acct/app] in DispatcherServ
let with name 'appServlet'
DEBUG: org.springframework.web.servlet.DispatcherServlet - Successfully completed request
DEBUG: org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'appServlet' processing GET request for
[/acct/app]
WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/acct/app] in DispatcherServ
let with name 'appServlet'
DEBUG: org.springframework.web.servlet.DispatcherServlet - Successfully completed request
Tried debugging a lot by changing the DispatcherServlet mapping to / instead of /index.html. Changing sitemesh filter-mapping to /* instead of /index.html.
Same AppSecurity project works fine if integrated with sample web project(without sitemesh).
Not sure what i am missing here in sitemesh project. Any help would be great here.
"default-target-url=/index.html" this will redirect the page after you have success login.
for example you can to redirect to /home.html or used /home.do in the controller to do some logic before you want to redirect to the page you want.
#RequestMapping(value = "/home.do", method = RequestMethod.POST)
public String login(ModelMap model) {
//TODO logic ...
return "/home.html";
}