Announcement Announcement Module
Collapse
No announcement yet.
Spring security not intercepting request Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring security not intercepting request

    I'm trying to do a basic spring security D/B authentication program.I tried this by two ways i.e.

    Method 1 : Using custom tables for Spring Security authentication.
    Method 2 : Using Spring security specific database tables for user authentication and authorization.

    File Locations:
    1. index.jsp -> webapp/index.jsp
    2. welcome.jsp -> webapp/pages/welcome.jsp
    3. login.jsp -> webapp/pages/login.jsp

    For method 1,Spring security was not intercepting request and i didn't see errors in console.Instead of intercepting the request i was directly taken to welcome.jsp.

    P.S - Since i was not trying authorization, i didn't use 'authorities-by-username-query' attribute below in security context xml. I'm not sure if its mandatory to create a table for authorization as well.

    Below is my security-context.xml:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
         <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jee="http://www.springframework.org/schema/jee"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.1.xsd
          http://www.springframework.org/schema/tx 
          http://www.springframework.org/schema/tx/spring-tx-2.0.xsd">
    
    <security:http auto-config="true">
        <security:intercept-url pattern="/welcome.html" />
        <security:form-login login-page="/login.html"
            default-target-url="/welcome.html" authentication-failure-url="/loginfailed.html" />
        <security:logout logout-success-url="/logout.html" />
    </security:http>
    
    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource"
             users-by-username-query="select FIRST_NAME,LAST_NAME,PASSWORD from USER_AUTHENTICATION where FIRST_NAME=?" />
        </security:authentication-provider>
    </security:authentication-manager>
    web.xml:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-  app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
     <display-name>SpringPOC</display-name>
     <servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
    <servlet-name>spring</servlet-name>
    <url-pattern>*.html</url-pattern>
    </servlet-mapping>
    <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
            /WEB-INF/applicationContextDirect.xml
            /WEB-INF/applicationContext-security.xml
        </param-value>
    </context-param>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    
    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
    </web-app>
    BaseController

    Code:
    //@RequestMapping(value="/login", method = RequestMethod.GET)
    @RequestMapping("/login")
    public ModelAndView login(Model model) {
        //System.out.println("Inside /login...");
        return new ModelAndView("login");
    }
    /*public String login(ModelMap model) {
    
        System.out.println("Inside /login...");
        return "login";
    
    }*/
    
    @RequestMapping(value="/loginfailed", method = RequestMethod.GET)
    public String loginerror(ModelMap model) {
    
        model.addAttribute("error", "true");
        return "login";
    
    }
    
    @RequestMapping(value="/logout", method = RequestMethod.GET)
    public String logout(ModelMap model) {
    
        return "login";
    
    }
    login.jsp

    Code:
    <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
              <html>
             <head>
             <title>Login Page</title>
             <style>
             .errorblock {
        color: #ff0000;
        background-color: #ffEEEE;
        border: 3px solid #ff0000;
        padding: 8px;
        margin: 16px;
         }
         </style>
         </head>
         <body onload='document.f.j_username.focus();'>
        <h3>Login with Username and Password (Authentication with Database)</h3>
    
        <c:if test="${not empty error}">
            <div class="errorblock">
                Your login attempt was not successful, try again.<br /> Caused :
                ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
            </div>
        </c:if>
    
        <form name='f' action="<c:url value='j_spring_security_check' />"
            method='POST'>
    
            <table>
                <tr>
                    <td>User:</td>
                    <td><input type='text' name='j_username' value=''>
                    </td>
                </tr>
                <tr>
                    <td>Password:</td>
                    <td><input type='password' name='j_password' />
                    </td>
                </tr>
                <tr>
                    <td colspan='2'><input name="submit" type="submit"
                        value="submit" />
                    </td>
                </tr>
                <tr>
                    <td colspan='2'><input name="reset" type="reset" />
                    </td>
                </tr>
            </table>
    
        </form>
    index.jsp

    Code:
    <body>
        <div id="content">
       <h1>Home Page</h1>
       <p>
       Anyone can view this page.
       </p>
       <p><a href="welcome.html">Login page</a></p>
       </div>
       </body>
    For method 2, i created spring specific database tables in the name of “USERS” and “AUTHORITIES” after following link http://www.raistudies.com/spring-sec...ysql-database/. Here SQL query is not used in xml as shown below.

    Every thing remains same except for security-context.xml.

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
      <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"         xmlns:jee="http://www.springframework.org/schema/jee"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.1.xsd
          http://www.springframework.org/schema/tx 
          http://www.springframework.org/schema/tx/spring-tx-2.0.xsd">
    
    <security:http realm="Project Realm" auto-config="true">
        <security:intercept-url pattern="/welcome.html" access="ROLE_USER"/>
        <security:form-login login-page="/login.html"
            default-target-url="/welcome.html" authentication-failure-url="/loginfailed.html" />
        <security:logout logout-success-url="/logout.html" />   
    </security:http>
    
    <security:authentication-manager>
        <security:authentication-provider>
        <security:password-encoder hash="md5"/>
        <security:jdbc-user-service data-source-ref="dataSource"/>
        </security:authentication-provider>
    </security:authentication-manager>
        </beans>
    when i tried the above way, even though i enter correct user name & password, i was getting 'bad credentials' message [But yes, in this case spring security is intercepting the request]. I'm using Oracle database.

    I enabled spring debug logging to find the root cause of errors in both methods. I couldn't figure out or understand what exactly is wrong from logs, so i compared logs i got after trying both methods.As,for method 1 Spring security was not intercepting request and for method 2 i was able to login (Spring security was atleast intercepting request) but i was getting 'Bad credential' message even after entering correct username & password.

    I've attached full debug logs i got for both methods.You can see that debug statements of FilterSecurityInterceptor class is differing.Please let me know what i need to do in both the cases to get it working. Advance thanks.
Working...
X