Announcement Announcement Module
Collapse
No announcement yet.
SPRING SECURITY displaying 'Bad Credentials' error on the login page Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SPRING SECURITY displaying 'Bad Credentials' error on the login page

    Hello guys,

    I am relatively new to SPRING framework and SPRING - Security. I tried to implement my own tiny web application using SPRING - Security. As far as I can remember I have tried using SPRING Security before (I dont know what version) and the web application is correct, at least on the security side.

    Now, I tried to recreate it using SPRING SECURITY 2.0.4 release. The security is functioning correctly, except for one, whenever I tried to access the web application using 'Bad Credential' (eg: blank or non-existent username and password), the error is not displayed on the login page. What happened is the page is merely redirected to 'index.jsp?error=true' which is correct. (index.jsp is my login page).

    Below is my index.jsp.

    PHP Code:
    <%@ include file="/common/taglib.jsp"%>
      
    <
    html>  
      <
    head>  
        <
    title>Goldenway International INCLogin</title>  
      </
    head
      <
    link rel="stylesheet" type="text/css" media="all" href="<c:url value='/css/general_theme.css'/>" />
      <
    link rel="stylesheet" type="text/css" media="all" href="<c:url value='/css/header.css'/>" />
      <
    link rel="stylesheet" type="text/css" media="all" href="<c:url value='/css/login.css'/>" />
     <
    body>
     
         <!-- 
    HEADER IMAGE -->
        <
    div id="headercomponents">
            <
    img id="header-image" src="<c:url value='/img/header.jpg'/>"/>
        </
    div>

        <!-- 
    ERROR MESSAGE IF ANY -->
        <
    c:if test="${param.error != null}">
            <
    div id="error">  
                
    Your login attempt was not successful, try again.<br/> 
                
    Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.  
            </
    div>  
        </
    c:if>  
          <
    div id="login">
        <
    form name="f" action="<c:url value='j_spring_security_check'/>" method="POST">  
          <
    table>  
            <
    tr><td>User:</td><td><input type='text' name='j_username' style="width: 100%;" value='<c:if test="${not empty param.error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/></td></tr>  
            <
    tr><td>Password:</td><td><input type='password' name='j_password' style="width: 100%;"></td></tr>  
            <
    tr><td colspan="2"><input type="checkbox" name="_spring_security_remember_me"> &nbsp; &nbspDon't ask for my password for two weeks</td></tr>  
      
            <tr><td colspan="2" style="text-align: center;"><input name="submit" type="submit" value="Submit">  &nbsp; &nbsp; <input name="reset" type="reset"></td></tr>  
          </table>  
        </form>
        </div>
      </body>  
    </html> 
    Here is my security.xml:

    PHP Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
                  
      <http auto-config="true" session-fixation-protection="none" access-decision-manager-ref="accessDecisionManager"
       access-denied-page="/accessDenied.jsp" >
         <!-- <intercept-url pattern="/index.jsp" access="ANONYMOUS" /> -->
         <intercept-url pattern="/jsp/*.htm" access="USER,ADMIN,SUPER"/>
         <intercept-url pattern="/jsp/admin/*.htm" access="ADMIN,SUPER" />
         <intercept-url pattern="/jsp/secured/*.htm" access="SUPER" />
         <form-login authentication-failure-url="/index.jsp?error=true"
         login-page="/index.jsp" login-processing-url="/j_spring_security_check" default-target-url="/jsp/home.jsp" />
         <logout invalidate-session="true" logout-url="/j_spring_security_logout" logout-success-url="/index.jsp" />
         <remember-me token-validity-seconds="604800" data-source-ref="dataSource" />
      </http>
      
      <authentication-provider>
        <jdbc-user-service data-source-ref="dataSource" 
          users-by-username-query="select username, password, enable from EMPLOYEE where username = ? " 
          authorities-by-username-query="select username, role from EMPLOYEE where username = ? " />
      </authentication-provider>
             
      <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased" >
        <beans:property name="decisionVoters">
          <beans:bean class="org.springframework.security.vote.RoleVoter">
            <beans:property name="rolePrefix" value=""/>
            </beans:bean>
        </beans:property>
      </beans:bean>               
    </beans:beans>
    My applicationContext.xml

    PHP Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jee="http://www.springframework.org/schema/jee"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.0.xsd">

      <!-- dataSource for SPRING-SECURITY -->
      <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close" >
        <property name="driverClassName" value="com.mysql.jdbc.Driver" />
        <property name="url" 
          value="jdbc:mysql://localhost/goldenway_employee?createDatabaseIfNotExist=true&amp;useUnicode=true&amp;characterEncoding=utf-8" />
        <property name="username" value="root" />
        <property name="password" value="root" />
        <property name="maxActive" value="1000" />
        <property name="maxWait" value="1000" />
        <property name="maxIdle" value="50" />
        <property name="poolPreparedStatements" value="true" />
        <property name="defaultAutoCommit" value="true" />
        <property name="timeBetweenEvictionRunsMillis" value="1800000" />
        <property name="validationQuery" value="select 1 from dual" />
      </bean>

    </beans>
    and my web.xml:

    PHP Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app version="2.5" 
        xmlns="http://java.sun.com/xml/ns/javaee" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
        http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
        
      <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
          WEB-INF/applicationContext.xml
          WEB-INF/security.xml
        </param-value>
      </context-param>
      
      <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      
      <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      
      <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
      </welcome-file-list>
    </web-app>
    Well that's pretty much my web application environment setup. I used Tomcat 5.5, SPRING SECURITY 2.0.4, MySQL 5, and tell me what more you want...

    Please guys, this is just my personal project but I cant be at ease if I cant solve this one. I know I just forgot to do something.. Please guys enligthen me..

    I also have checked this post:

    http://forum.springsource.org/showthread.php?p=249968

    For some reason, the console log stated here is similar to what I've got, the HttpSession returned null object for SPRING_SECURITY_CONTEXT.. Maybe this is related.. or not..

    thanks guys.

    -marckun
    Last edited by marcKun; Jul 10th, 2009, 10:51 PM.

  • #2
    Hello guys,

    any feedback please??

    as i've said earlier, the page is merely redirected to index.jsp?error=true page but the error messages are not displayed on the index.jsp error page, on index.jsp i have this part:

    PHP Code:
    //my header.jsp here

    <c:if test="${param.error != null}">
            <
    div id="error">  
                
    Your login attempt was not successful, try again.<br/> 
                
    Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.  
            </
    div>  
    </
    c:if>  

    //the login form div is here 
    and in the login form, in the username and password textbox i have these:

    PHP Code:

    //form declaration here

    <tr>
      <
    td>User:</td>
      <
    td>
         <
    input 
            type
    ='text' 
            
    name='j_username' 
            
    style="width: 100%;" 
            
    value='<c:if test="${not empty param.error}">
                <c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'
    />
      </
    td>
    </
    tr>  
    <
    tr>
      <
    td>Password:</td>
      <
    td><input type='password' name='j_password' style="width: 100%;"></td>
    </
    tr>

    //form button and end tag here 
    as you can see, in my textfields, I have tried to not clear the field if ever there is an error, but the fields are cleared..

    Might you have any idea regarding what's happening?

    thanks really..

    -marckun

    Comment


    • #3
      Hi marckun,

      in my trial application I can only reproduce your problem when I do not allow a session to be created.

      In this case I see the text "Your login attempt ..." after an unsuccessful login, but not the reason and the last entered username because there is no session to store SPRING_SECURITY_LAST_EXCEPTION.

      You have published your index.jsp, but it also includes the file /common/taglib.jsp.
      Do you use
      Code:
      %@ page session="false" %>
      in this file ?
      This could explain your problem.

      Martin

      Comment


      • #4
        Originally posted by mpr View Post
        Hi marckun,

        in my trial application I can only reproduce your problem when I do not allow a session to be created.

        In this case I see the text "Your login attempt ..." after an unsuccessful login, but not the reason and the last entered username because there is no session to store SPRING_SECURITY_LAST_EXCEPTION.

        You have published your index.jsp, but it also includes the file /common/taglib.jsp.
        Do you use
        Code:
        %@ page session="false" %>
        in this file ?
        This could explain your problem.

        Martin

        Hello,

        This is my taglib.jsp. I didnt put <%@ page session = "false" %> in it.

        PHP Code:
        <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
        <%@ 
        page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" errorPage="/404.jsp" %>
        <%@ 
        taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
        <%@ 
        taglib uri="http://www.springframework.org/security/tags" prefix="security" %>

        <
        c:set var="ctx" value="${pageContext.request.contextPath}"/> 
        In my console I have these logs:

        PHP Code:
        09:16:34,140 DEBUG XmlWebApplicationContext:272 Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@f39b3a]: org.springframework.security.event.authentication.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.providers.UsernamePasswordAuthenticationToken@c147d212PrincipalsdfsfsdfPassword: [PROTECTED]; AuthenticatedfalseDetailsorg.springframework.security.ui.WebAuthenticationDetails@0RemoteIpAddress0:0:0:0:0:0:0:1SessionIdF14EF0C8A055A47432621FC5302D636FNot granted any authorities]
        09:16:34,141 DEBUG AuthenticationProcessingFilter:405 Updated SecurityContextHolder to contain null Authentication
        09
        :16:34,142 DEBUG AuthenticationProcessingFilter:411 Authentication request failedorg.springframework.security.BadCredentialsExceptionBad credentials
        09
        :16:34,143 DEBUG PersistentTokenBasedRememberMeServices:187 Interactive login attempt was unsuccessful.
        09:16:34,143 DEBUG PersistentTokenBasedRememberMeServices:273 Cancelling cookie
        09
        :16:34,145 DEBUG HttpSessionContextIntegrationFilter:255 SecurityContextHolder now cleared, as request processing completed
        09
        :16:34,149 DEBUG FilterChainProxy:205 Converted URL to lowercasefrom'/index.jsp'to'/index.jsp'
        09:16:34,149 DEBUG FilterChainProxy:212 Candidate is'/index.jsp'pattern is /index.jspmatched=true
        09
        :16:34,149 DEBUG FilterChainProxy:165 -  has an empty filter list
        09:16:34,149 DEBUG JspServlet:248 JspEngine --> /index.jsp
        09
        :16:34,150 DEBUG JspServlet:249 -          ServletPath: /index.jsp
        09
        :16:34,150 DEBUG JspServlet:250 -             PathInfonull
        09
        :16:34,150 DEBUG JspServlet:251 -             RealPathC:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\project\index.jsp
        09
        :16:34,150 DEBUG JspServlet:252 -           RequestURI: /project/index.jsp
        09
        :16:34,150 DEBUG JspServlet:253 -          QueryStringerror=true
        09
        :16:34,150 DEBUG JspServlet:254 -       Request Params
        09:16:34,151 DEBUG JspServlet:258 -          error true
        09
        :17:21,441 DEBUG ManagerBase:677 Start expire sessions StandardManager at 1247534241441 sessioncount 1
        09
        :17:21,441 DEBUG ManagerBase:685 End expire sessions StandardManager processingTime 0 expired sessions0
        09
        :18:21,468 DEBUG ManagerBase:677 Start expire sessions StandardManager at 1247534301468 sessioncount 1
        09
        :18:21,469 DEBUG ManagerBase:685 End expire sessions StandardManager processingTime 1 expired sessions
        09:16:34,140 DEBUG XmlWebApplicationContext:272 - Publishing event in context [org.springframework.web.context.support.XmlWebAppl icationContext@f39b3a]: org.springframework.security.event.authentication. AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.providers.User namePasswordAuthenticationToken@c147d212: Principal: sdfsfsdf; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.ui.WebAuthenticationD etails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F14EF0C8A055A47432621FC5302D636F; Not granted any authorities]
        09:16:34,141 DEBUG AuthenticationProcessingFilter:405 - Updated SecurityContextHolder to contain null Authentication
        09:16:34,142 DEBUG AuthenticationProcessingFilter:411 - Authentication request failed: org.springframework.security.BadCredentialsExceptio n: Bad credentials
        09:16:34,143 DEBUG PersistentTokenBasedRememberMeServices:187 - Interactive login attempt was unsuccessful.
        09:16:34,143 DEBUG PersistentTokenBasedRememberMeServices:273 - Cancelling cookie
        09:16:34,145 DEBUG HttpSessionContextIntegrationFilter:255 - SecurityContextHolder now cleared, as request processing completed


        ohh and btw. i tried to put <c:out value="${param.error}" /> and <c:out value="${params.error}" /> to print the parameter of index.jsp?error=true in the page. all i get is the string "param.error" and "params.error" printed on the screen, not the value of "error" which is "true". I dont know if i am doing it right..

        -marckun
        Last edited by marcKun; Jul 13th, 2009, 08:31 PM. Reason: add'l info

        Comment


        • #5
          OK guys, iv been trying to solve this issue for ages already, iv recreated projects 6 times and configure spring security ground up 6 times already, and still i have the same behaviour.. even the project which i have created before doesn't seem to work already. the only difference with it to the previous set up is that the previous set-up i used tomcat 6, and now i am using tomcat 5. i dont know if spring security has issues with tomcat 5, but my project app works with tomcat 6. hmmm but i really can not tell since i am new to this framework..

          will anyways, what i did is instead of:

          PHP Code:
          .............
          <
          c:if test="${param.error != null}>
          Error: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}/>
          </
          c:if>
          ............. 
          i did this

          PHP Code:
          ............
          <% if(
          request.getParameter(error) != null) { %>
          ErrorInvalid username password.
          <% } %>
          ............ 
          i know this is not optimal, but since my spring security detects a valid login credential against a not valid login credential (the only problem is that i cant seem to display the SPRING_SECURITY_LAST_EXCEPTION.message, and strangely enough <c:if text="${param.error !=null}" /> doesnt do anything, and <c:out value="${error}" /> doesnt print the value of parameter error but the "error" string itself) i can at least do this.

          if you find out something guys will u mind posting me a reply??

          thanks

          -marckun

          Comment


          • #6
            Originally posted by marcKun View Post
            i tried to put <c:out value="${param.error}" /> and <c:out value="${params.error}" /> to print the parameter of index.jsp?error=true in the page. all i get is the string "param.error" and "params.error" printed on the screen, not the value of "error" which is "true".
            It seems that your Expression Language ist not working and you are using the URL
            Code:
            <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
            which is used for the scriptlet-based variant of JSTL 1.0. As far as I know this library does not allow the Expression Language inside a Tag.

            Please try to replace the JSTL 1.0 library with the JSTL 1.2 library which is using the URL
            Code:
            <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
            Martin

            Comment


            • #7
              Originally posted by mpr View Post
              It seems that your Expression Language ist not working and you are using the URL
              Code:
              <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
              which is used for the scriptlet-based variant of JSTL 1.0. As far as I know this library does not allow the Expression Language inside a Tag.

              Please try to replace the JSTL 1.0 library with the JSTL 1.2 library which is using the URL
              Code:
              <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
              Martin
              Yeah, i already tried that one. But the same behaviour: <c:out value="${error}" /> prints the "error" string, not the value of error parameter in index.jsp?error=true or index.jsp?error=1

              -marckun

              Comment


              • #8
                Originally posted by marcKun View Post
                Yeah, i already tried that one. But the same behaviour:
                Did you also change the library files ? Or in other words, are you sure that your project is using the tag library 1.2 ?

                Martin

                Comment

                Working...
                X