Announcement Announcement Module
Collapse
No announcement yet.
UserName becoming empty before searching in Spring security 3.1 : Please Help Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • UserName becoming empty before searching in Spring security 3.1 : Please Help

    Hello Friends,

    Merry Xmas.

    Few years ago I have developed and implemented Flex-Spring-Mybatis-Firebird application with
    old spring. Now I am developing a new project and decided to use Spring 3.1 release. I have copied
    config files from old application and tuned them to Spring 3.1. Since its a early stage of project
    I am trying to test security only on few jsp pages with inmemory authentication. The security config
    and the partial log is as below.

    When I try to login with any user name and password the Bad Credentials error is thrown. When I try to
    access secured pages it takes me to login page this functionality is as expected. I tried with debug log
    and noted that when user is being searched its getting empty string to verify against inmemory list.

    Can somebody help me in this situation ?

    Thanks and warm regards.

    Raja

    the security xml file

    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schem...curity-3.1.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.1.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

    <security:http pattern="/index.jsp" security="none"/>
    <security:http pattern="/pngfix.htc" security="none"/>
    <security:http pattern="/Tej-EIS.css" security="none"/>
    <security:http pattern="/trans.gif" security="none"/>
    <security:http pattern="/images/**" security="none"/>
    <security:http pattern="/WEB-Plain/**" security="none"/>
    <security:http pattern="/TEJSYMB-3.png" security="none"/>


    <security:http access-decision-manager-ref="accessDecisionManagerRoleBased"
    access-denied-page="/index.jsp?access_denied=1"
    >

    <security:intercept-url pattern="/spring/messagebroker/**" access="ROLE_ANONYMOUS"/>

    <security:intercept-url pattern="/WEB-Flex/**" access="ROLE_AUTHENTICATED"/>
    <security:intercept-url pattern="/utility/**" access="ROLE_AUTHENTICATED"/>
    <security:intercept-url pattern="/temp/**" access="ROLE_AUTHENTICATED"/>
    <security:intercept-url pattern="/reports/**" access="ROLE_AUTHENTICATED"/>
    <security:intercept-url pattern="/**" access="ROLE_AUTHENTICATED"/>

    <security:form-login login-page="/index.jsp?do_login=1"
    default-target-url="/index.jsp?login_success=1"
    authentication-failure-url="/index.jsp?login_error=1"
    />

    <security:logout logout-success-url="/index.jsp?logged_out=1" invalidate-session="true" />

    <security:session-management invalid-session-url="/index.jsp?invalid_session=1"
    session-fixation-protection="migrateSession">
    <security:concurrency-control
    max-sessions="100"
    error-if-maximum-exceeded="true"
    expired-url="/index.jsp?session_expired=1"
    session-registry-ref="sessionRegistry"
    />
    </security:session-management>

    </security:http>

    <bean id="sessionRegistry"
    class="org.springframework.security.core.session.S essionRegistryImpl"/>

    <alias name="roleHierarchyVoter" alias="customAccessVoter"/>
    <alias name="inMemoryuserDetailsService" alias="customUserDetailsService"/>

    <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
    <securityassword-encoder hash="plaintext" />
    <security:user-service id="inMemoryuserDetailsService" >
    <security:user name="owner" password="test" authorities="ROLE_OWNER" disabled="false"/>
    <security:user name="ceo" password="test" authorities="ROLE_CEO" disabled="false"/>
    <security:user name="srmgr" password="test" authorities="ROLE_SR_MGR" disabled="false"/>
    <security:user name="mgr" password="test" authorities="ROLE_MGR" disabled="false"/>
    <security:user name="opr" password="test" authorities="ROLE_OPR" disabled="false"/>
    <security:user name="user" password="test" authorities="ROLE_USER" disabled="false"/>
    </security:user-service>
    </security:authentication-provider>
    </security:authentication-manager>

    <bean id="roleHierarchy" class="org.springframework.security.access.hierarc hicalroles.RoleHierarchyImpl">
    <property name="hierarchy">
    <value>
    ROLE_OWNER > ROLE_CEO
    ROLE_CEO > ROLE_SR_MGR
    ROLE_SR_MGR > ROLE_MGR
    ROLE_MGR > ROLE_OPR
    ROLE_OPR > ROLE_USER
    ROLE_USER > ROLE_AUTHENTICATED
    ROLE_AUTHENTICATED > ROLE_ANONYMOUS
    </value>
    </property>
    </bean>

    <bean id="roleHierarchyVoter" class="org.springframework.security.access.vote.Ro leHierarchyVoter">
    <constructor-arg ref="roleHierarchy"/>
    </bean>

    <bean id="accessDecisionManagerRoleBased"
    class="org.springframework.security.access.vote.Un animousBased">
    <constructor-arg name="decisionVoters">
    <list>
    <ref bean="roleHierarchyVoter"/>
    </list>
    </constructor-arg>
    <property name="allowIfAllAbstainDecisions" value="true" />
    </bean>

    <bean id="accessDecisionManagerCustom"
    class="org.springframework.security.access.vote.Un animousBased">
    <constructor-arg name="decisionVoters">
    <list>
    <ref bean="customAccessVoter"/>
    </list>
    </constructor-arg>
    <property name="allowIfAllAbstainDecisions" value="true" />
    </bean>
    <bean id="authLoggerListener" class="org.springframework.security.authentication .event.LoggerListener"/>

    </beans>

    The Partial log

    09:55:39 355 DEBUG /j_spring_security_check at position 1 of 10 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
    09:55:39 355 DEBUG /j_spring_security_check at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    09:55:39 355 DEBUG HttpSession returned null object for SPRING_SECURITY_CONTEXT
    09:55:39 355 DEBUG No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@ 478dabf1. A new one will be created.
    09:55:39 358 DEBUG /j_spring_security_check at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'


    09:55:39 358 DEBUG /j_spring_security_check at position 4 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
    09:55:39 359 DEBUG Request is to process authentication
    09:55:39 359 DEBUG Authentication attempt using org.springframework.security.authentication.dao.Da oAuthenticationProvider
    09:55:39 360 DEBUG User '' not found
    09:55:39 360 WARN Authentication event AuthenticationFailureBadCredentialsEvent: ; details: org.springframework.security.web.authentication.We bAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: D79E6639229F0FA1CDB8F4A1F8D6E101; exception: Bad credentials
    09:55:39 361 DEBUG Authentication request failed: org.springframework.security.authentication.BadCre dentialsException: Bad credentials


    09:55:39 361 DEBUG Updated SecurityContextHolder to contain null Authentication
    09:55:39 361 DEBUG Delegating to authentication failure handlerorg.springframework.security.web.authentica tion.SimpleUrlAuthenticationFailureHandler@2f1aa58 b
    09:55:39 362 DEBUG Redirecting to /index.jsp?login_error=1
    09:55:39 363 DEBUG Redirecting to '/Tej-EIS-31/index.jsp?login_error=1'
    09:55:39 363 DEBUG SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.

    Last edited by raja_s_patil; Dec 26th, 2011, 02:05 AM.

  • #2
    Can you also post the HTPP call that you are making? perhaps your j_username setting is not correct?

    Comment


    • #3
      Thanks swang30,

      Surely, part of index.jsp related to login form is as below. However before posting I changed form method to "get" and the URL in browser was showing proper j_username and j_password parameters.

      The loginform

      <div id="wb_LoginForm" style="position:absolute;left:291px;top:218px;widt h:291px;height:129px;z-index:22;">
      <form name="LoginForm" method="post" action="<c:url value='/j_spring_security_check'/>" enctype="text/plain" id="LoginForm">
      <div id="wb_LoginText6" style="position:absolute;left:5px;top:11px;width:1 06px;height:18px;z-index:10;">
      <div style="position:absolute;left:0px;top:0px;width:10 6px;height:17px;"><span style="color:#0066FF;font-family:Tahoma;font-size:15px;"><strong>User Name</strong></span></div>
      </div>
      <div id="wb_LoginText5" style="position:absolute;left:5px;top:42px;width:1 06px;height:18px;z-index:11;">
      <div style="position:absolute;left:0px;top:0px;width:10 6px;height:17px;"><span style="color:#0066FF;font-family:Tahoma;font-size:15px;"><strong>Password</strong></span></div>
      </div>
      <div id="wb_LoginText7" style="position:absolute;left:10px;top:70px;width: 255px;height:14px;text-align:right;z-index:12;">
      <div style="position:absolute;left:0px;top:0px;width:25 5px;height:14px;"><span style="color:#0066FF;font-family:Tahoma;font-size:12px;"><strong>Remember Me (15 Days)</strong></span></div>
      </div>
      <input type="text" id="UserNameEditbox" style="position:absolute;left:114px;top:8px;width: 168px;height:20px;line-height:20px;z-index:13;" name="j_username" value="<c:if test='${not empty param.login_error}'> <c:out value='${SPRING_SECURITY_LAST_USERNAME}'/></c:if>" tabindex="1" title="User Name">
      <input type="password" id="PasswordEditbox" style="position:absolute;left:114px;top:39px;width :168px;height:19px;line-height:19px;z-index:14;" name="j_password" value="" tabindex="2" title="Password">
      <input type="checkbox" id="RememberMeCheckbox" name="_spring_security_remember_me" value="" style="position:absolute;left:268px;top:69px;z-index:15;" tabindex="3" title="Remember Me">
      <input type="submit" id="LoginButton" name="submit" value="Log In" class="buttons" style="position:absolute;left:114px;top:95px;width :77px;height:25px;z-index:16;" tabindex="4" title="Login Button">
      <input type="reset" id="ResetButton" name="reset" value="Reset" class="buttons" style="position:absolute;left:207px;top:95px;width :77px;height:25px;z-index:17;" tabindex="5" title="Reset Button">
      </form>
      </div>

      Comment


      • #4
        /j_spring_security_check expects a POST, is there any reason you need it to be a GET? Also, I meant the actual HTTP request, say through TCP mon or something similar...

        Comment


        • #5
          Thanks swang30,

          Originally posted by swang30 View Post
          /j_spring_security_check expects a POST, is there any reason you need it to be a GET? Also, I meant the actual HTTP request, say through TCP mon or something similar...
          well Since I was not able to use tcp mon in STS at that time. so as quick & dirty solution to check whether browser sends j_username & j_password parameters correctly, temporarily i changed form method to "get" and saw the url and immediately changed back to "post".
          if you check part of jsp above the form method is "post" only.

          Today I read about how to configure TCP/IP monitor in eclipse and got that working. The authentication request posts j_username=ceo j_password=test and "Log In" as parameters to /j_security_check so browser is at no fault. But the debug log above shows that "user '' not found" its expected as user 'ceo' not found and this is the exact problem area.

          BTW can there be any mismatch in dependency jars ? here is list of files in lib folder.

          apache-log4j-extras-1.1.jar
          avalon-framework-4.1.3.jar
          backport-util-concurrent-3.1.jar
          cfgatewayadapter.jar
          cglib-nodep-2.2.2.jar
          commons-beanutils-1.8.3.jar
          commons-beanutils-bean-collections-1.8.3.jar
          commons-beanutils-core-1.8.3.jar
          commons-codec-1.6.jar
          commons-collections-3.2.1.jar
          commons-dbcp-1.4.jar
          commons-digester-1.7.jar
          commons-io-2.1.jar
          commons-lang-2.6.jar
          commons-logging-1.1.1.jar
          commons-logging-adapters-1.1.1.jar
          commons-logging-api-1.1.1.jar
          commons-math-2.2.jar
          commons-pool-1.5.6.jar
          com.springsource.org.antlr-3.1.3.jar
          com.springsource.org.aopalliance-1.0.0.jar
          concurrent-1.3.4.jar
          dom4j-1.6.1.jar
          dozer-5.3.2.jar
          ehcache-core-2.0.0.jar
          flex-messaging-common.jar
          flex-messaging-core.jar
          flex-messaging-opt.jar
          flex-messaging-proxy.jar
          flex-messaging-remoting.jar
          flex-rds-server.jar
          httpclient-4.1.jar
          httpclient-cache-4.1.jar
          httpcore-4.1.jar
          httpmime-4.1.jar
          iText-2.1.7.jar
          jackson-core-asl-1.9.2.jar
          jars.txt
          jasperreports-4.5.0.jar
          jasperreports-applet-4.5.0.jar
          jasperreports-fonts-4.5.0.jar
          jasperreports-javaflow-4.5.0.jar
          jaybird-full-2.1.6.jar
          jaybird-pool-2.1.6.jar
          joda-time-2.0.jar
          jstl-1.2.jar
          log4j-1.2.16.jar
          logkit-1.0.1.jar
          mybatis-3.0.6.jar
          mybatis-ehcache-1.0.0.jar
          mybatis-oscache-1.0.0.jar
          mybatis-spring-1.0.2.jar

          all jars from springframework 3.1.0 dist folder

          oscache-2.4.jar
          poi-3.7-20101029.jar
          rspUtils-17-Dec-2011.jar
          slf4j-api-1.6.4.jar
          slf4j-jcl-1.6.4.jar
          slf4j-jdk14-1.6.4.jar
          slf4j-log4j12-1.6.4.jar
          spring-flex-core-1.5.2.RELEASE.jar

          All jars from spring security 3.1.0 dist folder

          standard-1.1.2.jar
          xalan-2.7.1.jar

          Comment


          • #6
            Thanks swang30 for shifting my focus from xml to jsp,

            I have resolved the problem and authentication is running fine.

            The culprit was index.jsp form declaration.

            <form name="LoginForm" method="post" action="<c:url value='/j_spring_security_check'/>" enctype="text/plain" id="LoginForm">

            the attribute enctype="text/plain" was causing sending post request with each parameter in separate line like
            j_username=ceo
            j_password=test
            submit=Submit Query

            rather then which spring security expected as
            ....?j_username=ceo&j_password=test&submit=Submit+ Query

            I removed enctype="text/plain" from form definition and spring security started processing the login request as desired.

            Your suggestion to use TCP mon helped me this regard, Thanks a lot for that suggestion. It a good addition to my knowledge about debugging HTTP request/response communication. It will very useful in future application developments.

            Thanks and warm regards

            Raja

            Comment

            Working...
            X