Announcement Announcement Module
Collapse
No announcement yet.
Spring 2 Security on Glassfish 3 Shows Basic Auth after form Auth Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring 2 Security on Glassfish 3 Shows Basic Auth after form Auth

    We are trying to upgrade our existing Spring 2.5 based application to Glassfish 3.1.2.2.

    This application is working fine on Glassfish 2.1 with Spring 2 security. We are using our custom authentication setup for this.

    The application deploys fine on the GF3. When we try to login to application our custom form based authentication page is displayed. Once credentials are provided we get the basic auth popup that is using file realm of GF3 server.

    We have already tried these options and it did not work

    This Stackoverflow Thread With no answer


    Upgrade Spring version to Last Best Version 2.5.6.SEC03 - This still shows the same issue


    Upgrading to Spring 3 is not an option for us since we are stuck with some third party vendor libraries that have compile time dependency on Spring 2.

    We already have support from Oracle and they have turned out to be useless(as always their support is disappointing)

    Are you aware of any workarounds for this situation?

    Below is the security config code we have in web.xml




    Code:
    <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
     </filter>
     <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
     </filter-mapping>
      <security-constraint>
       <web-resource-collection>
        <web-resource-name>app</web-resource-name>
        <url-pattern>/app/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
       </web-resource-collection>
     </security-constraint>


    Here is the beans.xml content

    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        	http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
    
    	<http
    		access-decision-manager-ref="accessDecisionManager" auto-config="false" realm="SPRING"
    		session-fixation-protection="none"
    		servlet-api-provision="true"
    		entry-point-ref="authEntryPoint"
    		>
    		<intercept-url pattern="/Login*" filters="none"/>
    		<intercept-url pattern="/styles.css" filters="none"/>
    		<intercept-url pattern="/images/**" filters="none"/>
    		<intercept-url pattern="/**.js" filters="none"/>		
    		<intercept-url pattern="/**.html" access="users"/>
    		<intercept-url pattern="/**.htmlx" access="users"/>
    
    	</http>
    
    	<authentication-manager alias="authenticationManager"/>
    	<!--  Override of default auth processing filter, to allow custom actions on login
    		that have access to servlet stuff. This allows access to Tapestry-specifics, for
    		doing things like creating the custom visit ASO. -->
    	<beans:bean id="customAuthFilter" class="com.mycomp.core.security.TapestryIntegrationFilter">
    		<custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
    		<beans:property name="defaultTargetUrl" value="/Home.html"/>
    		<beans:property name="filterProcessesUrl" value="/j_security_check"/>
    		<beans:property name="authenticationFailureUrl" value="/Login.html"/>
    		<beans:property name="authenticationManager" ref="authenticationManager"/>
    	</beans:bean>
    	<!-- When using a custom auth filter, you need a custom auth entry point, because you
    		can't configure this using the "form-login" element under the "http" element. -->
    	<beans:bean id="authEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    		<beans:property name="loginFormUrl" value="/Login.html"/>
    	</beans:bean>
    
    	<!-- This, unfortunately, has to be defined to allow us to remove the "ROLE_" prefix from
    		rolenames, by defining a roleVoter with an empty prefix. To wire in the voter, you
    		have to define the access decision manager. -->
    	<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    		<beans:property name="decisionVoters">
    			<beans:list>
    				<beans:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
    					<beans:property name="rolePrefix" value=""/>
    				</beans:bean>
    				<beans:bean id="authenticatedVoter" class="org.springframework.security.vote.AuthenticatedVoter"/>
    			</beans:list>
    		</beans:property>
    	</beans:bean>
    
    	<!-- PIMA-specific authorization provider. It gets plugged into the framework by using the
    		custom-authentication-provider element. -->
    	<beans:bean id="pscAuthenticationProvider" class="com.myapp.core.security.CustomAuthenticationProvider">
    		<beans:property name="customUserDao" ref="customUserDao"/>
    		<beans:property name="passwordUtility" ref="passwordUtility"/>
    		<beans:property name="transactionManager" ref="transactionManager"/>
    		<custom-authentication-provider/>
    	</beans:bean>
    
    	<beans:bean id="passwordUtility" class="com.myapp.core.security.PasswordUtility">
    		<!-- Comment/uncomment to toggle password encoding off/on -->
    		<beans:property name="saltSource">
    			<beans:bean class="org.springframework.security.providers.dao.salt.SystemWideSaltSource">
    				<beans:property name="systemWideSalt" value="somegoodsalt"/>
    			</beans:bean>
    		</beans:property>
    		<beans:property name="passwordEncoder">
    			<beans:bean class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/>
    		</beans:property>
    		<!--		-->
    	</beans:bean>
    
    	<beans:bean id="securityService" class="com.scea.core.security.SecurityService">
    		<beans:property name="passwordUtility" ref="passwordUtility"/>
    	</beans:bean>
    
    </beans:beans>
    Last edited by kzvikzvi1; Sep 11th, 2012, 12:58 PM. Reason: typo fixed
Working...
X