Announcement Announcement Module
Collapse
No announcement yet.
BadCredentialsException after migrating to Spring Security 3.1 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • BadCredentialsException after migrating to Spring Security 3.1

    I have recently upgraded to spring-security-xxx-3.1.0 from 3.0.5.
    In 3.0.5, i was using filters=none tag in the intercept-url tag for unprotecting urls.
    Since it is not availible now in 3.1, i had to modify my security config xml to look as below :-
    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    	
    	<http pattern="/index.action*" security="none"> </http>
    	<http pattern="/index.jsp" security="none"> </http>
    	<http pattern="/jsp/login.jsp" security="none"> </http>
    	<http pattern="/css/*" security="none"> </http>
    	<http pattern="/js/*" security="none"> </http>
    	<http pattern="/forgotPassword.action*" security="none"> </http>
    	<http pattern="/registerUser.action" security="none"> </http>
    
    	<http auto-config='true' use-expressions="true"  >
    		<intercept-url pattern="/*.action" access="isAuthenticated()" />
    		
    		<form-login login-page="/jsp/login.jsp" authentication-failure-url="/jsp/login.jsp?login_error=1" 
    		authentication-success-handler-ref="xyzLoginSuccessHandler"  />
    		<logout logout-success-url="/jsp/login.jsp"  />
    	</http>
     	
    	<authentication-manager>
    		<authentication-provider user-service-ref="xyzUserDetailsService" />
    	</authentication-manager>
    
    </beans:beans>
    At app startup, the login page shows up. User Enters details. Login is successful. home.action is displayed.
    I try browsing in the application, trying any other secured xyz.action. The application logs out automatically, with login page being shown.

    The error stack trace i get from Spring is as below :-
    Code:
    [24/03/12 12:52:54] DEBUG Authentication failed: no credentials provided
    [24/03/12 12:52:54] DEBUG Authentication failed: no credentials provided
    [24/03/12 12:52:54] DEBUG Authentication exception occurred; redirecting to authentication entry point
    org.springframework.security.authentication.BadCredentialsException: Bad credentials
    	at org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:58)
    	at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:149)
    	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
    	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.authenticateIfRequired(AbstractSecurityInterceptor.java:304)
    	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:201)
    	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
    	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
    	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    [24/03/12 12:52:54] DEBUG DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/company/xyz.action]
    [24/03/12 12:52:54] DEBUG Calling Authentication entry point.
    [24/03/12 12:52:54] DEBUG Redirecting to 'http://localhost:8080/company/jsp/login.jsp'
    [24/03/12 12:52:54] DEBUG SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    Any pointers as to what i am doing wrong. ?
    Not much help available on the web for 3.1. I am thinking of going back to 3.0.5.

    Regards,
    Darshan Shroff
    http://in.linkedin.com/in/darshanshroff

  • #2
    Hello Darshan.

    I reviewed your post at your request to see if it was related to an other post i made a while ago. I am sorry, but this is not the same problem that i had. I am not an expert at this, but my understanding is that filters="none" should be replaced by access="IS_AUTHENTICATED_ANONYMOUSLY". I may even be wrong, but you might consider giving it a try.

    Comment

    Working...
    X