Announcement Announcement Module
Collapse
No announcement yet.
"j_spring_security_check" not found after configuring spring security without http Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • "j_spring_security_check" not found after configuring spring security without http

    Hi there
    I’m trying to convert Spring Security configuration from HTTP namespace into direct configuration using FilterChainProxy. Before the conversion, everything was ok with HTTP namespace. But after replacing <http> element by several elements with FilterChainProxy, I got “j_spring_security_check not found” error while login to the system. I tried to change all or some of “/j_spring_security_check” with “/app/j_spring_security_check” but still could not login successfully.

    My environment:
    AppFuse 2.1 with Spring MVC, iBatis, Spring Security 3.0.7, tuckey urlrewrite 3.2.0, Spring 3.0.6
    Windows 7
    JDK 1.5.0_17
    Maven 2.2.1
    apache-tomcat-6.0.32

    Security.xml (before conversion, everything is OK.)
    -------------------------------------------------------------------------------------------

    <http auto-config="true" lowercase-comparisons="false">
    <intercept-url pattern="/images/**" filters="none"/>
    <intercept-url pattern="/styles/**" filters="none"/>
    <intercept-url pattern="/scripts/**" filters="none"/>
    <intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
    <intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
    <intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
    <intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
    <form-login login-page="/login" authentication-failure-url="/login?error=true"
    login-processing-url="/j_spring_security_check"/>
    <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
    </http>

    <authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userDao">
    <password-encoder ref="passwordEncoder"/>
    </authentication-provider>
    </authentication-manager>


    Security.xml (after replacing http namespace, "j_spring_security_check" not found)
    -------------------------------------------------------------------------------------------
    <beans:bean id="springSecurityFilterChain"
    class="org.springframework.security.web.FilterChai nProxy">
    <filter-chain-map path-type="ant">
    <filter-chain pattern="/images/**" filters="none"/>
    <filter-chain pattern="/styles/**" filters="none"/>
    <filter-chain pattern="/scripts/**" filters="none"/>
    <filter-chain pattern="/app/**" filters="
    securityContextPersistenceFilter,
    authenticationProcessingFilter,
    exceptionTranslationFilter,
    filterSecurityInterceptor"/>
    </filter-chain-map>
    </beans:bean>

    <beans:bean id="securityContextPersistenceFilter"
    class="org.springframework.security.web.context.Se curityContextPersistenceFilter">
    </beans:bean>

    <beans:bean id="authenticationProcessingFilter"
    class="org.springframework.security.web.authentica tion.UsernamePasswordAuthenticationFilter">
    <beans: property name="authenticationManager" ref="authenticationManager"/>
    <beans: property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
    <beans: property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
    <beans: property name="filterProcessesUrl" value="/j_spring_security_check"/>
    </beans:bean>

    <beans:bean id="authenticationSuccessHandler"
    class="org.springframework.security.web.authentica tion.SimpleUrlAuthenticationSuccessHandler">
    <beans: property name="defaultTargetUrl" value="/mainMenu"/>
    </beans:bean>

    <beans:bean id="authenticationFailureHandler"
    class="org.springframework.security.web.authentica tion.SimpleUrlAuthenticationFailureHandler">
    <beans: property name="defaultFailureUrl" value="/login.jsp"/>
    </beans:bean>

    <beans:bean id="exceptionTranslationFilter"
    class="org.springframework.security.web.access.Exc eptionTranslationFilter">
    <beans: property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
    <beans: property name="accessDeniedHandler" ref="accessDeniedHandler"/>
    </beans:bean>

    <beans:bean id="authenticationEntryPoint"
    class="org.springframework.security.web.authentica tion.LoginUrlAuthenticationEntryPoint">
    <beans: property name="loginFormUrl" value="/login.jsp"/>
    </beans:bean>

    <beans:bean id="accessDeniedHandler"
    class="org.springframework.security.web.access.Acc essDeniedHandlerImpl">
    <beans: property name="errorPage" value="/403.jsp"/>
    </beans:bean>

    <beans:bean id="filterSecurityInterceptor"
    class="org.springframework.security.web.access.int ercept.FilterSecurityInterceptor">
    <beans: property name="authenticationManager" ref="authenticationManager"/>
    <beans: property name="accessDecisionManager" ref="accessDecisionManager"/>
    <beans: property name="securityMetadataSource">
    <filter-security-metadata-source>
    <intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
    <intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
    <intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
    <intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
    </filter-security-metadata-source>
    </beans: property>
    </beans:bean>

    <beans:bean id="myFilterInvocationSecurityMetadataSource"
    class="com.tangram.ebiz.webapp.authentication.MyFi lterInvocationSecurityMetadataSource">
    </beans:bean>

    <beans:bean id="accessDecisionManager"
    class="org.springframework.security.access.vote.Af firmativeBased">
    <beans: property name="decisionVoters">
    <beans:list>
    <beans:bean class="org.springframework.security.access.vote.Ro leVoter">
    <beans: property name="rolePrefix" value="ROLE_"/>
    </beans:bean>
    <beans:bean
    class="org.springframework.security.access.vote.Au thenticatedVoter"/>
    </beans:list>
    </beans: property>
    </beans:bean>

    <authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userDao">
    <password-encoder ref="passwordEncoder"/>
    </authentication-provider>
    </authentication-manager>

    Login.jsp
    -------------------------------------------------------------------------------------------
    <form method="post" id="loginForm" action="<c:url value='/j_spring_security_check'/>" onsubmit="saveUsername(this);return validateForm(this)">

    <li>
    <label for="j_username" class="required desc"><fmt:message key="label.username"/> <span class="req">*</span></label>
    <input type="text" class="text medium" name="j_username" id="j_username" tabindex="1" />
    </li>
    <li>
    <label for="j_password" class="required desc"><fmt:message key="label.password"/> <span class="req">*</span></label>
    <input type="password" class="text medium" name="j_password" id="j_password" tabindex="2" />
    </li>

    </form>

    Urlrewrite.xml
    -------------------------------------------------------------------------------------------
    <urlrewrite default-match-type="wildcard">

    <!-- Add rules here for anything that shouldn't be served up by Spring MVC. -->
    <rule>
    <from>/</from>
    <to type="redirect" last="true">mainMenu</to>
    </rule>

    <rule>
    <from>/app/**</from>
    <to last="true" type="redirect">%{context-path}/$1</to>
    </rule>

    <rule>
    <from>/j_spring_security_check**</from>
    <to last="true">/j_spring_security_check$1</to>
    </rule>

    <!-- Spring MVC -->
    <rule>
    <from>/**</from>
    <to>/app/$1</to>
    </rule>

    <outbound-rule>
    <from>/app/**</from>
    <to>/$1</to>
    </outbound-rule>

    </urlrewrite>
    Last edited by bwwlpnn; Oct 6th, 2011, 10:50 AM.

  • #2
    Why are you trying to avoid using the namespace? Perhaps there is a way you can still use it (it simplifies things a lot). The reason j_spring_security_check is not found is the spring config does not have the UsernamePasswordAuthenticationFilter. See this blog post to learn more about

    PS: I would avoid using URLRewriteFilter if possible. If you are just wanting to do resful URLs you can do this by mapping your servlet to the default servlet. You can search the forums for ways to avoid using UrlRewriteFilter

    Comment


    • #3
      I avoided using the namespace because my customers wanted me to define the secured URLs dynamically and manage roles in database(see http://static.springsource.org/sprin...c-url-metadata). After fixing the j_spring_security_check issue, I'll redefine securityMetadataSource to reference to myFilterInvocationSecurityMetadataSource and add attributes (roles) from database.

      <beans: property name="securityMetadataSource" ref="myFilterInvocationSecurityMetadataSource"/>

      I have defined UsernamePasswordAuthenticationFilter in security.xml.

      <beans:bean id="authenticationProcessingFilter"
      class="org.springframework.security.web.authentica tion.UsernamePasswordAuthenticationFilter">
      <beans: property name="authenticationManager" ref="authenticationManager"/>
      <beans: property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
      <beans: property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
      <beans: property name="filterProcessesUrl" value="/j_spring_security_check"/>
      </beans:bean>

      I'll have a try to disable urlrewritefilter.

      Comment


      • #4
        If you only want to deviate from the namespace a little bit this faq entry may help.

        Comment


        • #5
          Originally posted by rwinch View Post
          Why are you trying to avoid using the namespace? Perhaps there is a way you can still use it (it simplifies things a lot). The reason j_spring_security_check is not found is the spring config does not have the UsernamePasswordAuthenticationFilter. See this blog post to learn more about
          Finally I fixed it myself.

          While debugging the doFilter() method of SecurityContextPersistenceFilter without Spring security namespace, I found that contextBeforeChainExecution and contextAfterChainExecution were null. But when debugging the program with namespace the value of both of them were something about Anonymous.

          I added “/j_spring_security_check” and “/login” with “IS_AUTHENTICATED_ANONYMOUSLY” access in securityMetadataSource as shown below and the problem was solved.

          <beans: property name="securityMetadataSource">
          <filter-security-metadata-source>
          <intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
          <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
          <intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
          <intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
          <intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
          <intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
          </filter-security-metadata-source>
          </beans: property>

          Thank you, rwinch! The blog post really helped me a lot!

          Comment


          • #6
            j_spring_security_check not found after adding pattern to http element

            Hi ,
            I am new to spring security. I am trying to use multiple http elements so that I can have different authentication managers for different urls. I am using form authentication with a jsp page. The problem is that I if dont add a pattern to http element, I can use more than one http element, and I add a pattern element, I get j_spring_security_check. My spring-security.xml is as follows

            <security:http auto-config="true" use-expressions="true" authentication-manager-ref="superAdmin" pattern="/admin/**">
            <security:intercept-url pattern="/adminLogin*" access="isAnonymous()"/>
            <security:intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
            <security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
            <security:form-login
            login-page="/adminLogin.jsp"
            login-processing-url="/j_spring_security_check"
            authentication-failure-url="/loginFailed.html"
            authentication-success-handler-ref="myAuthSuccessHandler"
            always-use-default-target="true"/>
            </security:http>

            <security:authentication-manager id="superAdmin">
            <security:authentication-provider>
            <!-- <password-encoder hash="md5"/> -->
            <security:jdbc-user-service data-source-ref="dataSources"

            users-by-username-query="
            select username,password,true
            from Admin where username=?"

            authorities-by-username-query="
            select username,'ROLE_ADMIN_USER' from Admin where username=?" />
            </security:authentication-provider>
            </security:authentication-manager>



            Please help me
            The following is commented at this point of time, since it is not really necessary at this point of time
            <security:http use-expressions="true" authentication-manager-ref="organizationAdmin" pattern="/organizationAdmin/*">
            <security:intercept-url pattern="/organizationLogin*" access="isAnonymous()"/>
            <security:intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
            <security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
            <security:form-login
            login-page="/orgAdminLogin.jsp"
            login-processing-url="/j_spring_security_check"
            authentication-failure-url="/loginFailed.html"
            authentication-success-handler-ref="myAuthSuccessHandler"
            always-use-default-target="true"/>
            </security:http>
            <security:authentication-manager id="organizationAdmin">
            <security:authentication-provider>

            <security:jdbc-user-service data-source-ref="dataSources"

            users-by-username-query="
            select username,password,true
            from Admin where username=?"

            authorities-by-username-query="
            select username,'ROLE_ADMIN_USER' from Admin where username=?" />
            </security:authentication-provider>
            </security:authentication-manager>

            -->





            <security:http use-expressions="true" disable-url-rewriting="true" authentication-manager-ref="orgAdmin" pattern="/organizationAdmin/*">

            <security:intercept-url pattern="/organizationAdmin/*" access="hasRole('ROLE_ORG_USER')" />
            <security:http-basic />
            </security:http>

            <security:authentication-manager id="orgAdmin">
            <security:authentication-provider>

            <password-encoder hash="md5"/>
            <security:jdbc-user-service data-source-ref="dataSources"

            users-by-username-query="
            select username,password,true
            from OrganizationAdmin where username=?"
            authorities-by-username-query="
            select username,'ROLE_ORG_USER' from OrganizationAdmin where username=?" />
            </security:authentication-provider>
            </security:authentication-manager>


            <security:http use-expressions="true" disable-url-rewriting="true" authentication-manager-ref="superAdmin" pattern="/admin/*">

            <security:intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN_USER')" />
            <security:http-basic />
            </security:http>

            <security:authentication-manager id="superAdmin">
            <security:authentication-provider>
            <password-encoder hash="md5"/>
            <security:jdbc-user-service data-source-ref="dataSources"

            users-by-username-query="
            select username,password,true
            from Admin where username=?"

            authorities-by-username-query="
            select username,'ROLE_ADMIN_USER' from Admin where username=?" />
            </security:authentication-provider>
            </security:authentication-manager>


            <security:http use-expressions="true" disable-url-rewriting="true" authentication-manager-ref="orgAdmin" pattern="/rest/adminLogin">


            <security:intercept-url pattern="/rest/adminLogin" access="hasRole('ROLE_ORG_USER')" />
            <security:http-basic />
            </security:http>

            Comment


            • #7
              sorry, I forgot to post web.xml
              <web-app id="WebApp_ID" version="3.0"
              xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
              http://java.sun.com/xml/ns/j2ee/web-app_3_0.xsd">

              <display-name>Spring Web MVC Application</display-name>

              <servlet>
              <servlet-name>mvc-dispatcher</servlet-name>
              <servlet-class>org.springframework.web.servlet.DispatcherSe rvlet</servlet-class>
              <load-on-startup>1</load-on-startup>
              </servlet>

              <servlet-mapping>
              <servlet-name>mvc-dispatcher</servlet-name>
              <url-pattern>/rest/*</url-pattern>
              </servlet-mapping>

              <context-param>
              <param-name>contextConfigLocation</param-name>
              <param-value>
              /WEB-INF/mvc-dispatcher-servlet.xml,
              /WEB-INF/spring-security.xml
              </param-value>
              </context-param>

              <listener>
              <listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
              </listener>
              <filter>
              <filter-name>springSecurityFilterChain</filter-name>
              <filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
              </filter>
              <filter-mapping>
              <filter-name>springSecurityFilterChain</filter-name>
              <url-pattern>/*</url-pattern>
              </filter-mapping>

              </web-app>

              Comment

              Working...
              X