Announcement Announcement Module
Collapse
No announcement yet.
Bypassing SimpleUrlHandlerMapping for Spring Security Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bypassing SimpleUrlHandlerMapping for Spring Security

    I'm trying to add a form login for Spring Security to an existing app using SimpleUrlHandlerMapping.

    I have login form as follows:

    Code:
    <form action="<c:url value='/j_spring_security_check'/>" method="POST">
    <table>
    <tr><td>User:</td><td><input type='text' name='j_username'></td></tr>
    <tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>
    
    <tr><td colspan='2'><input name="submit" type="submit" value="Log In"></td></tr>
    <tr><td colspan='2'><input name="reset" type="reset"></td></tr>
    </table>
    </form>
    I've tried various things for the action attribute to get /j_spring_security_check recognized and sent to the right place, but nothing seems to work. I get the following error:

    "The requested resource (/appname/j_spring_security_check) is not available."

    Is there some way to pass /j_spring_security_check on so it reaches its target? My guess is that Spring Security expects it to be handled by some default Spring Web MVC components instead of the ones I'm using for my app.

  • #2
    Hi,

    Please post your spring security configuration,

    I think you should not include the leading "/"

    Comment


    • #3
      Thanks for responding, sami25. I could be totally off base, but I suspect Spring can't see the j_security_check because of existing UI code. If that's the case, I don't know how to fall back to Spring's default UI handlers to make it work. I've tried eliminating my passThroughController but that doesn't solve the problem.

      web.xml
      Code:
          <servlet>
              <servlet-name>uiapp</servlet-name>
              <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
              <load-on-startup>1</load-on-startup>
          </servlet>
      
      
          <servlet-mapping>
              <servlet-name>uiapp</servlet-name>
              <url-pattern>/ab/*</url-pattern> 
          </servlet-mapping>
      
       <listener>
              <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
          </listener>
      
          <context-param>
              <param-name>contextConfigLocation</param-name>
              <param-value> 
                  /WEB-INF/uiapp-servlet.xml 
                  /WEB-INF/uiapp-security.xml
              </param-value>
          </context-param>
      
          <filter>
              <filter-name>springSecurityFilterChain</filter-name>
              <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
          </filter>
          <filter-mapping>
              <filter-name>springSecurityFilterChain</filter-name>
              <url-pattern>/ab/cd/*</url-pattern>
          </filter-mapping>

      uiapp-security.xml
      Code:
      <http auto-config="true">
              <intercept-url pattern="/login.jsp*" filters="none"/>  
              <intercept-url pattern="/**" access="ROLE_USER"/>
              <form-login login-page='/login.jsp'/>
          <anonymous />
          <http-basic />
          <logout />
          <remember-me />
          </http>
          
          <authentication-provider>
              <user-service>
                  <user name="user" password="pass" authorities="ROLE_USER"/>
              </user-service>
          </authentication-provider>

      uiapp-servlet.xml
      Code:
          <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter"/>
      
      	<bean id="controllerHandlerAdapter" class="org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter"/>
      
      	<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
      		<property name="basename" value="messages"/>
      	</bean>
      
      	<bean id="localeResolver" class="org.springframework.web.servlet.i18n.FixedLocaleResolver"/>
      
      	<bean class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
      		<property name="mappings">
      			<props>
      				<prop key="/cd/createuser">userManagementController</prop>
      				...
                                                                             <prop key="/*">passThroughController</prop> 
      			</props>
      		</property>
      	</bean>
      
      	<bean id="userManagementController"
      		class="blah.UserManagementController">
      	</bean>
      	
      	<bean id="passThroughController"
              class="blah.PassThroughController">
          </bean>
      
      	<bean id="viewResolver"
      		class="org.springframework.web.servlet.view.InternalResourceViewResolver">
      		<property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
      		<property name="prefix" value="/WEB-INF/jsp/"/>
      		<property name="suffix" value=".jsp"/>
      	</bean>

      Comment


      • #4
        Hi,

        <http auto-config="true">
        <intercept-url pattern="/login.jsp*" filters="none"/>
        <intercept-url pattern="/**" access="ROLE_USER"/>
        <form-login login-page='/login.jsp'/>
        <anonymous />
        <http-basic />
        <logout />
        <remember-me />
        </http>
        whenever the auto-config attribute is true you do not need to define the following,
        <anonymous />
        <http-basic />
        <logout />
        <remember-me />
        Could you do one thing to test,
        just comment the exiting http element and use the following
        Code:
        <http auto-config="true">
                
                <intercept-url pattern="/**" access="ROLE_USER"/>
                
            
            </http>
        Spring would generate the login form automatically, atleast this would ensure that the problem is in the jsp

        Secondly can you check the view source after the page(login.jsp) has been rendered by the browser.

        Comment


        • #5
          Hi,

          I'm afraid that just leads to this:
          Code:
          HTTP Status 404 - /appname/spring_security_login
          
          type Status report
          
          message /appname/spring_security_login
          
          description The requested resource (/appname/spring_security_login) is not available.
          What set of Spring Web MVC handlers, etc. is Spring Security expecting? It seems to be different from what I have configured.

          Comment


          • #6
            Hi,

            <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/ab/cd/*</url-pattern>
            </filter-mapping>
            change the above to the following
            Code:
             <filter-mapping>
                    <filter-name>springSecurityFilterChain</filter-name>
                    <url-pattern>/*</url-pattern>
                </filter-mapping>

            Comment


            • #7
              Thanks Sami25,

              That does seem to be part of the solution. Evidently Spring Security

              Code:
              <url-pattern>/*</url-pattern>
              needs this setting to see its components (the spring_security_login, for example).

              I'm now getting a org.springframework.ws.client.WebServiceTransportE xception: Bad credentials [401] error; evidently Spring Security is now interfering with my existing, working Spring Web Services setup.

              Thanks again for your help!

              If I can't figure out what's happening now I'll post a new thread when I can formulate a good question.

              Comment


              • #8
                I already had the

                <url-pattern>/*</url-pattern>

                I had the same exact problem and the login worked when I used the maven jetty plugin with contextPath as "/", but it stopped working when I changed it to "/appname". Just to make sure it didn't involve the jetty plugin I confirmed that it failed on tomcat where appname was the servlet context.

                What I finally realized was that I had the login form as /$appname/auth/login, so to get it to work I had to use "../j_spring_security_check" as my action. My theory on why it worked without a context path was spring security looks for both /j_spring_security_check and /appname/j_spring_security_check and with / as a context it found the first version, but it couldn't find /appname/auth/j_spring_security_check for obvious reasons (relative path to auth, not root of context).

                Paul Sundling
                http://www.gamerleague.com
                Last edited by sundling; Jan 3rd, 2009, 01:38 AM.

                Comment

                Working...
                X