Announcement Announcement Module
Collapse
No announcement yet.
Stays on same url after (successful?) login Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stays on same url after (successful?) login

    Hi,
    I am trying to integrate Spring Security 3 with JSF2.0 (Apache Myfaces) to direct users to a login page when they attempt to access a page that requires authentication.

    My applicationContext.xml looks like:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
      xmlns:security="http://www.springframework.org/schema/security"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
              http://www.springframework.org/schema/security
              http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    
    	<security:http auto-config="true" access-denied-page="/index.jsf">
    		<security:intercept-url pattern="/authenticated/**" access="ROLE_BLAH_USER" />	
    		<security:intercept-url pattern="/admin/**" access="ROLE_BLAH_ADMIN" />
    		<security:form-login login-page="/login.html" default-target-url="/authenticated/hello.html"/>
    		<security:logout logout-success-url="/index.jsf" />
    	</security:http>
    
    	<security:authentication-manager>
    		<security:authentication-provider user-service-ref="userDetailsService"/>
    	</security:authentication-manager>
    
      <bean id="userDetailsService" class="com.blah.security.spring.UserDetailsServiceImpl" />
    
    </beans>
    And the "login.html" looks like this:

    HTML Code:
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>Blah title</title>
    </head>
    <body>
    	<form action="j_spring_security_check" method="post">
    		<label for="j_username">User name</label>
    		<input type="text" name="j_username" id="j_username"/>
    		<br/>
    		<label for="j_password">Password</label>
    		<input type="password" name="j_password" id="j_password"/>
    		<br/>
    		<input type='checkbox' name='_spring_security_remember_me'/> Remember me on this computer.
    		<br/>
    		<input type="submit" value="Login"/>
    	</form>
    </body>
    </html>
    The "login.html" page correctly displays when a user attempts to view any page under the "/authenticated" directory of the webapp.
    But after (I think, successful) login, I do not get redirected to the "default-target-url". It just stays on the same page (i.e. login.html). And I do not get any message saying "Bad Credentials" or anything when I login with an incorrect username and password.

    I also do not get anything in my log that tells me that anything is wrong.

    Can some one help me please?

    Many thanks,
    Glen

  • #2
    You do not allow anonymous access to the login page. I'm not sure why the login page renders (since you should not have access to it), but if your springSecurityFilterChain is not the first filter-mapping that might explain why.

    Comment


    • #3
      Originally posted by rwinch View Post
      You do not allow anonymous access to the login page. I'm not sure why the login page renders (since you should not have access to it), but if your springSecurityFilterChain is not the first filter-mapping that might explain why.
      Hi, thank you for your response. But I don't understand why I would need anonymous access to the login page.
      Would you mind explaining a bit more?
      The "springSecurityFilterChain" has been moved to the first filter in the web.xml, but I still get the same problem.

      Thanks again,
      Glen

      Comment


      • #4
        You need anonymous access because you need to be able to view the login page prior to being authenticated. What does the URL display after you have logged in and are still seeing the login page? If you navigate to another location in your application that is secured do you see that page or does it send you to the login page again?

        Comment


        • #5
          Originally posted by rwinch View Post
          You need anonymous access because you need to be able to view the login page prior to being authenticated. What does the URL display after you have logged in and are still seeing the login page? If you navigate to another location in your application that is secured do you see that page or does it send you to the login page again?
          Hello rwinch,
          Sorry for the late reply again. I was trying to get it to work for a while, and then was onto something else for a bit.
          Thank you for your replies and your help. I really appreciate it.

          I managed to get it to work in the end with JSF, following this article:
          Spring security Integration - JSF Log in

          Basically I do all the necessary login initialisation required in JSF, before forwarding the original request to the Spring "j_spring_security_check" servlet.

          Thanks again for all the help.

          Glen

          Comment

          Working...
          X