Spring security: Can not access target page after entering proper credentials - spring

I am trying to create a basic Spring Security (3.0) application following the common tutorials from internet. However, even after entering configured credentials, login page is opening again. The debug logs show that the user is being authenticated as anonymous user. Please let me know what I am missing.
Here's my web.xml:-
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>Spring Security Example</display-name>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-security.xml</param-value>
</context-param>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
My spring-security.xml:-
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http >
<intercept-url pattern="/app/*"
access="ROLE_USER" />
<form-login login-page="/app/login/"
default-target-url="/app/home/"
authentication-failure-url="/app/login?error=true" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="sumit" password="1234"
authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
My login.jsp:-
<%# page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<%#taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
<html>
<head>
<meta charset="ISO-8859-1">
<title>Login</title>
</head>
<body>
<h2>Login page</h2>
<form:form method="POST" action="../home" commandName="user">
Username: <form:input path="username" />
<br>
Password: <form:input path="password" />
<br>
<input type="submit" value="Login">
</form:form>
</body>
</html>
My Controller:-
package com.test.basicspring.controller;
import java.io.IOException;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import com.test.model.UserModel;
#Controller
#RequestMapping(value = "/app")
public class HelloWorldController {
private Logger logger = Logger.getLogger(HelloWorldController.class);
#RequestMapping(method = RequestMethod.GET, value = "/hello")
public void SayHello(HttpServletResponse response) {
System.out.println("Hello World");
logger.info("Logging Hello World");
try {
response.getWriter().write("Request completed");
} catch (IOException e) {
e.printStackTrace();
}
}
#RequestMapping(method = RequestMethod.GET, value = "/login")
public String login(Model modelMap) {
System.out.println("In login method");
modelMap.addAttribute("user", new UserModel());
return "login";
}
#RequestMapping(method = RequestMethod.POST, value = "/home")
public String home() {
System.out.println("Login successful");
return "";
}
}
Debug logs after submitting login credentials:-
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/app/home'; to: '/app/home'
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - Candidate is: '/app/home'; pattern is /**; matched=true
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 1 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter#26f6ad34'
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#4f884b44. A new one will be created.
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 2 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#7d0a1070'
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 3 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter#542dcf66'
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/springSecurityExample/app/hello; arg2=/springSecurityExample/app/home (property not equals)
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 4 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#6d55a0ba'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 5 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter#6ec0b31f'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6fabe8e0: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F09C61DDA9D42B649B89CD650863A289; Granted Authorities: ROLE_ANONYMOUS'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 6 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter#1f29202'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 7 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter#77240701'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 8 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#72e500b4'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource - Converted URL to lowercase, from: '/app/home'; to: '/app/home'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource - Candidate is: '/app/home'; pattern is /app/*; matched=true
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /app/home; Attributes: [ROLE_USER]
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#6fabe8e0: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F09C61DDA9D42B649B89CD650863A289; Granted Authorities: ROLE_ANONYMOUS
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter#4bb7d66d, returned: -1
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter#eb5417f, returned: 0
TRACE 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in Root WebApplicationContext: org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /app/home]
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied

I was able to make above code work by specifying action attribute and login-processing-url both to '/login'. With this configuration, spring activates inbuilt filter for username and password validation. Then, it goes to endpoint specified by default-target-url.

Related

Request 'GET /sw.js' doesn't match 'POST /login Spring Security

I am running Spring Boot v2.3.2.RELEASE, Spring v5.2.8.RELEASE and after a successful login I get Request 'GET /sw.js' doesn't match 'POST /login. This happens in Chrome but not in Firefox.
This is my security config class:
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
#Autowired
private LdapAuthenticationProvider authProvider;
/**
* Defines the web based security configuration.
*
* #param http It allows configuring web based security for specific http requests.
* #throws Exception
*/
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/css/**", "/js/**", "/images/**").permitAll()
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.loginPage("/login") //custom login page
.permitAll(); // permit everyone the /login page
}
/**
* Sets a custom authentication provider.
*
* #param auth SecurityBuilder used to create an AuthenticationManager.
* #throws Exception
*/
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
My home controller is:
#RequestMapping("/")
public String index(Principal principal) throws IsimConnectionException {
Authentication authentication = (Authentication) principal;
if ((authentication.getPrincipal() != null) && (authentication.isAuthenticated())) {
...
My login controller is:
#Controller
public class LoginController {
#GetMapping("/login")
public String login(){
return "login";
}
}
Here is my stack:
2021-09-27 15:10:12,119 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.context.HttpSessionSecurityContextRepository: Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#ac138ad5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#ac138ad5: Principal: xxx; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 2B1ED69302276F95FB5CB97E87F7CF64; Not granted any authorities'
2021-09-27 15:10:12,120 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2021-09-27 15:10:12,120 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2021-09-27 15:10:12,120 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2021-09-27 15:10:12,120 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.util.matcher.AntPathRequestMatcher: Request 'GET /error' doesn't match 'POST /logout'
2021-09-27 15:10:12,120 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2021-09-27 15:10:12,120 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.util.matcher.AntPathRequestMatcher: Request 'GET /error' doesn't match 'POST /login'
2021-09-27 15:10:12,120 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2021-09-27 15:10:12,120 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.savedrequest.HttpSessionRequestCache: saved request doesn't match
2021-09-27 15:10:12,120 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2021-09-27 15:10:12,121 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2021-09-27 15:10:12,121 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.authentication.AnonymousAuthenticationFilter: SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#ac138ad5: Principal: asusti; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 2B1ED69302276F95FB5CB97E87F7CF64; Not granted any authorities'
2021-09-27 15:10:12,121 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2021-09-27 15:10:12,121 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-09-27 15:10:12,121 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2021-09-27 15:10:12,122 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain: /error reached end of additional filter chain; proceeding with original chain
2021-09-27 15:10:12,123 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.access.ExceptionTranslationFilter: Chain processed normally
2021-09-27 15:10:12,123 DEBUG [http-nio-8080-exec-2] org.springframework.security.web.context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
Can you please suggest what is missing in my configuration?
Update:
This is the network screenshot when the error appears from Chrome:
My login.html is:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
<head>
<title>Login page </title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<form name="f" th:action="#{/login}" method="post">
<fieldset>
<legend>Please Login</legend>
<div th:if="${param.error}" class="alert alert-error">
Invalid username and password.
</div>
<div th:if="${param.logout}" class="alert alert-success">
You have been logged out.
</div>
<label for="username">Username</label>
<input type="text" id="username" name="username"/>
<label for="password">Password</label>
<input type="password" id="password" name="password"/>
<div class="form-actions">
<button type="submit" class="btn">Log in</button>
</div>
</fieldset>
</form>
</div>
</body>
</html>
Here is the error sw.js line no 18 that is throwing 404 error. work-box-core.. not found:

loadUserByUsername being passed empty username

I am trying to implement an example from "Pro Spring Security" by Scarioni which implements a custom in memory user model (implementing the UserDetailsService interface) and custom expression handler. When I try to log in, the loadUserByUsername() method of my CustomInMemoryUserDetailsManager is passed a blank (not null) string for the username. This results in access denied. If I force the username to be that expected (admin), everything works fine including the custom expression handling.
Here is my security configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http auto-config="true" use-expressions="true" >
<security:expression-handler ref="expressionHandler" />
<security:intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN') and hasIpAddress('127.0.0.1') and over18"/>
<security:remember-me key="terror-key" />
<security:form-login login-page="/custom_login"
authentication-failure-handler-ref="serverErrorHandler"
username-parameter="user_param" password-parameter="pass_param" />
</security:http>
<security:authentication-manager>
<security:authentication-provider user-service-ref="inMemoryUserServiceWithCustomUser" />
</security:authentication-manager>
<!-- Custom expression handler bean -->
<bean id="expressionHandler" class="com.apress.pss.terrormovies.security.CustomWebSecurityExpressionHandler"/>
<bean id="inMemoryUserServiceWithCustomUser"
class="com.apress.pss.terrormovies.spring.CustomInMemoryUserDetailsManager">
<constructor-arg>
<list>
<bean class="com.apress.pss.terrormovies.model.User">
<constructor-arg value="admin"/>
<constructor-arg value="admin"/>
<constructor-arg>
<list>
<bean class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<constructor-arg value="ROLE_ADMIN"/>
</bean>
</list>
</constructor-arg>
<constructor-arg value="Scarioni"/>
<constructor-arg value="19"/>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="logoutRedirectToAny"
class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
</bean>
<bean id="serverErrorHandler" class="com.apress.pss.terrormovies.security.ServerErrorFailureHandler"/>
</beans>
Here is my CustomInMemoryUserDetailsManager class:
package com.apress.pss.terrormovies.spring;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.apress.pss.terrormovies.model.User;
public class CustomInMemoryUserDetailsManager implements UserDetailsService {
private final Log logger = LogFactory.getLog(getClass());
private Map<String, User> users = new HashMap<String, User>();
public CustomInMemoryUserDetailsManager(Collection<User> users) {
for (User user : users) {
this.users.put(user.getUsername().toLowerCase(), user);
logger.debug("CustomInMemoryUserDetailsManager()- put username: " +
user.getUsername() + " last name: " + user.getLastName() + " authority: " +
user.getAuthorities());
}
}
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// Test - force user name to that expected
//username = "admin";
if (username.equals("")) logger.debug("loadUserByUsername()- username is blank!!!");
logger.debug("loadUserByUsername()- username: " + username);
User user = users.get(username.toLowerCase());
if (user == null) {
throw new UsernameNotFoundException(username);
}
logger.debug("loadUserByUsername()- found " + user.getUsername());
User userNew = new User(user.getUsername(), user.getPassword(),
user.getAuthorities(), user.getLastName(), user.getAge());
return userNew;
}
}
I turned on Spring debugging and got a very large log, here is what I think is the relevent part from the point of logging to j_spring_security_check:
:28,785 DEBUG main DispatcherServlet:130 - Servlet 'terrormovies' configured successfully
08:29:48,058 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
08:29:48,072 DEBUG qtp1624348237-15 HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
08:29:48,085 DEBUG qtp1624348237-15 HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created.
08:29:48,120 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
08:29:48,120 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
08:29:48,120 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 4 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
08:29:48,121 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 5 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
08:29:48,121 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 6 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
08:29:48,122 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 7 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
08:29:48,123 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
08:29:48,124 DEBUG qtp1624348237-15 AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
08:29:48,125 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
08:29:48,125 DEBUG qtp1624348237-15 SessionManagementFilter:92 - Requested session ID ncic677387xfiq2ciohmau1 is invalid.
08:29:48,126 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
08:29:48,126 DEBUG qtp1624348237-15 FilterChainProxy:337 - /admin/movies at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
08:29:48,126 DEBUG qtp1624348237-15 AntPathRequestMatcher:103 - Checking match of request : '/admin/movies'; against '/admin/*'
08:29:48,127 DEBUG qtp1624348237-15 FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /admin/movies; Attributes: [hasRole('ROLE_ADMIN') and hasIpAddress('127.0.0.1') and over18]
08:29:48,127 DEBUG qtp1624348237-15 FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
08:29:48,129 DEBUG qtp1624348237-15 CustomWebSecurityExpressionRoot:22 - CustomWebSecurityExpressionRoot()- call
08:29:48,154 DEBUG qtp1624348237-15 AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#35333295, returned: -1
08:29:48,157 DEBUG qtp1624348237-15 ExceptionTranslationFilter:165 - Access is denied(user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
...
On initialization you can see the user being correctly entered into the users HashMap in the log:
08:29:25,912 DEBUG main CustomInMemoryUserDetailsManager:26 - CustomInMemoryUserDetailsManager()- put username: admin last name: Scarioni authority: [ROLE_ADMIN]
I noticed the user is coming in as anonymous, I'm not sure why. Any help would be greatly appreciated.
Thanks
mike

Spring Security JavaConfig with HTTP Basic and JSR-250: 403 Forbidden

How the Configuration should look like when using #RolesAllowed Annotation?
I don't need any auth at my webpage as there's no login or anything else. Only the admin panel should have an http basic auth.
This is my current code:
public class WebAppInitializer extends AbstractSecurityWebApplicationInitializer {
#Override
public void beforeSpringSecurityFilterChain(ServletContext servletContext) {
AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
rootContext.getEnvironment().setDefaultProfiles("production");
rootContext.scan("com.xxx.config");
container.addListener(new ContextLoaderListener(rootContext));
ServletRegistration.Dynamic servlet = container.addServlet("DispatcherServlet", DispatcherServlet.class);
servlet.setInitParameter("contextConfigLocation", "");
servlet.setLoadOnStartup(1);
servlet.addMapping("/");
FilterRegistration charEncodingfilterReg = container.addFilter("CharacterEncodingFilter", CharacterEncodingFilter.class);
charEncodingfilterReg.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
charEncodingfilterReg.setInitParameter("encoding", "UTF-8");
charEncodingfilterReg.setInitParameter("forceEncoding", "true");
}
}
#Controller
#RequestMapping("admin")
#RolesAllowed("admin")
public class AdminController {
// ...
}
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private Environment env;
private static final Logger log = LoggerFactory.getLogger(SecurityConfig.class);
#Bean
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().realmName(env.getProperty("adminRealm"));
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
// Output: DEBUG SecurityConfig - Register credentials for roles user, admin: admin:admin
log.debug("Register credentials for roles user, admin: " + env.getProperty("adminUsername") + ":" + env.getProperty("adminPassword"));
auth.inMemoryAuthentication().withUser(env.getProperty("adminUsername")).password(env.getProperty("adminPassword")).roles("user", "admin");
}
}
But after the login with the correct credentials I'm just getting a HTTP 403.
Log while requesting the admin panel:
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/webjars/fancybox/jquery.fancybox.css at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG FilterChainProxy - /resources/webjars/fancybox/jquery.fancybox.css at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG FilterChainProxy - /resources/webjars/fancybox/jquery.fancybox.css reached end of additional filter chain; proceeding with original chain
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG DispatcherServlet - Taking snapshot of request attributes before include
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/webjars/fancybox/jquery.fancybox.css
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/webjars/fancybox/jquery.fancybox.css] are [/resources/**]
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/webjars/fancybox/jquery.fancybox.css] are {}
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/webjars/fancybox/jquery.fancybox.css] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG DispatcherServlet - Last-Modified value for [/resources/webjars/fancybox/jquery.fancybox.css] is: -1
DEBUG ResourceHttpRequestHandler - Trying relative path [webjars/fancybox/jquery.fancybox.css] against base location: ServletContext resource [/resources/**]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG ResourceHttpRequestHandler - Determined media type 'text/css' for ServletContext resource [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Restoring snapshot of request attributes after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.HandlerMapping.introspectTypeLevelMapping] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.FLASH_MAP_MANAGER] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.THEME_SOURCE] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.THEME_RESOLVER] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.CONTEXT] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.HandlerMapping.pathWithinHandlerMapping] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.OUTPUT_FLASH_MAP] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.HandlerMapping.bestMatchingPattern] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.LOCALE_RESOLVER] after include
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Skipping processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG BenchmarkProcessorDecorator - StopWatch '': running time (millis) = 0
-----------------------------------------
ms % Task name
-----------------------------------------
00000 � Using ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.model.resource.processor.impl.css.CssUrlRewritingProcessor#76ec1185
...much wro4j stuff...
DEBUG BenchmarkProcessorDecorator - StopWatch '': running time (millis) = 2770
-----------------------------------------
ms % Task name
-----------------------------------------
02770 100% Using ro.isdc.wro.model.resource.processor.impl.css.JawrCssMinifierProcessor#2c8e5aa6
DEBUG DefaultSynchronizedCacheStrategyDecorator - found content: .clearfix{*zoom:1}.clearfix...
DEBUG DefaultSynchronizedCacheStrategyDecorator - Content to fingerprint: [.clearfix{*zoom:1}.clearfix...]
DEBUG AbstractDigesterHashStrategy - SHA1HashStrategy hash: 51eda04c354d73243fa387841c9d888bbeb4a201
DEBUG DefaultSynchronizedCacheStrategyDecorator - computed entry: hash: 51eda04c354d73243fa387841c9d888bbeb4a201
DEBUG ResourceBundleProcessor - ETag hash detected: "51eda04c354d73243fa387841c9d888bbeb4a201". Sending 304 status code
DEBUG WroFilter - Disable Cache is true. Destroying model...
DEBUG DefaultWroModelFactoryDecorator - Destroy model
DEBUG DefaultResourceAuthorizationManager - clear.
DEBUG DefaultResourceAuthorizationManager - clear.
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG FilterChainProxy - /resources/img/logo.png at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#80a4fdc5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/logo.png at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51879f03
DEBUG FilterChainProxy - /resources/img/logo.png at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG AntPathRequestMatcher - Checking match of request : '/resources/img/logo.png'; against '/logout'
DEBUG FilterChainProxy - /resources/img/logo.png at position 6 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/logo.png at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG FilterChainProxy - /resources/img/logo.png reached end of additional filter chain; proceeding with original chain
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/img/logo.png]
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/img/logo.png
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/img/logo.png]
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/img/logo.png] are [/resources/**]
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/img/logo.png] are {}
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/img/logo.png] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG DispatcherServlet - Last-Modified value for [/resources/img/logo.png] is: -1
DEBUG ResourceHttpRequestHandler - Trying relative path [img/logo.png] against base location: ServletContext resource [/resources/**]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/img/logo.png]
DEBUG ResourceHttpRequestHandler - Determined media type 'image/png' for ServletContext resource [/resources/img/logo.png]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG FilterChainProxy - /resources/img/eagle.png at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#80a4fdc5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51879f03
DEBUG FilterChainProxy - /resources/img/eagle.png at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG AntPathRequestMatcher - Checking match of request : '/resources/img/eagle.png'; against '/logout'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 6 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png reached end of additional filter chain; proceeding with original chain
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/img/eagle.png]
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/img/eagle.png
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#80a4fdc5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51879f03
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG AntPathRequestMatcher - Checking match of request : '/resources/webjars/font/fontawesome-webfont.woff'; against '/logout'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 6 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/img/eagle.png]
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/img/eagle.png] are [/resources/**]
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/img/eagle.png] are {}
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/img/eagle.png] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG DispatcherServlet - Last-Modified value for [/resources/img/eagle.png] is: -1
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 reached end of additional filter chain; proceeding with original chain
DEBUG ResourceHttpRequestHandler - Trying relative path [img/eagle.png] against base location: ServletContext resource [/resources/**]
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/img/eagle.png]
DEBUG ResourceHttpRequestHandler - Determined media type 'image/png' for ServletContext resource [/resources/img/eagle.png]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/webjars/font/fontawesome-webfont.woff
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/webjars/font/fontawesome-webfont.woff] are [/resources/**]
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/webjars/font/fontawesome-webfont.woff] are {}
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/webjars/font/fontawesome-webfont.woff] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG DispatcherServlet - Last-Modified value for [/resources/webjars/font/fontawesome-webfont.woff] is: -1
DEBUG ResourceHttpRequestHandler - Trying relative path [webjars/font/fontawesome-webfont.woff] against base location: ServletContext resource [/resources/**]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG ResourceHttpRequestHandler - Determined media type 'application/x-font-woff' for ServletContext resource [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Permissions:
$ cd ~/workspace/xxxxx/target/classes && ls -l . && ls -l META-INF && ls -l META-INF/services && ls -l properties && ls -l properties/common && ls -l properties/development
insgesamt 76
drwxrwxr-x 4 danny danny 4096 Nov 12 17:57 com
-rw-rw-r-- 1 danny danny 19074 Nov 12 17:57 import.sql
-rw-rw-r-- 1 danny danny 519 Nov 14 22:16 logback.xml
drwxrwxr-x 3 danny danny 4096 Nov 12 17:57 META-INF
drwxrwxr-x 5 danny danny 4096 Nov 12 17:57 properties
-rw-rw-r-- 1 danny danny 2215 Nov 12 17:57 tiles.xml
-rw-rw-r-- 1 danny danny 2444 Nov 12 17:57 wro.xml
insgesamt 4
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 services
insgesamt 24
-rw-rw-r-- 1 danny danny 34 Nov 12 17:57 javax.servlet.ServletContainerInitializer
-rw-rw-r-- 1 danny danny 57 Nov 12 17:57 ro.isdc.wro.model.spi.ModelFactoryProvider
insgesamt 12
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 common
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 development
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 production
insgesamt 48
-rw-rw-r-- 1 danny danny 737 Nov 12 17:57 application.properties
-rw-rw-r-- 1 danny danny 57 Nov 12 17:57 hibernate.properties
-rw-rw-r-- 1 danny danny 88 Nov 12 17:57 jdbc.properties
-rw-rw-r-- 1 danny danny 125 Nov 12 17:57 wro.properties
insgesamt 48
-rw-rw-r-- 1 danny danny 142 Nov 12 17:57 application.properties
-rw-rw-r-- 1 danny danny 53 Nov 12 17:57 hibernate.properties
-rw-rw-r-- 1 danny danny 35 Nov 12 17:57 jdbc.properties
-rw-rw-r-- 1 danny danny 17 Nov 12 17:57 wro.properties
As you are using the default authentication manager your rolenames must be prefixed with "ROLE_" to be matched.

Spring doesn't Reject Protected Url access

I have implemented spring security it was working fine but suddenly it stopped working.
Now when I try to access a protected url it doesn't reject, it allows me to open url.
when I try to login with valid user it does call loginSuccessHandler but doesn't redirect to secure/applications.html page.
Sorry it is bit lengthy detail, I am really stuck :(.
Spring Logging
20:41:04,555 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - Checking match of request : '/j_spring_security_check'; against '/resources/**'
20:41:04,556 DEBUG [org.springframework.security.web.FilterChainProxy] - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
20:41:04,556 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - No HttpSession currently exists
20:41:04,556 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - No SecurityContext was available from the HttpSession: null. A new one will be created.
20:41:04,556 DEBUG [org.springframework.security.web.FilterChainProxy] - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
20:41:04,556 DEBUG [org.springframework.security.web.FilterChainProxy] - /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
20:41:04,556 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] - Request is to process authentication
20:41:04,557 DEBUG [org.springframework.security.authentication.ProviderManager] - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
Hibernate: select this_.id as id1_12_1_, this_.date as date2_12_1_, this_.email as email3_12_1_, this_.firstName as firstNam4_12_1_, this_.lastName as lastName5_12_1_, this_.password as password6_12_1_, this_.phoneNumber as phoneNum7_12_1_, this_.role as role8_12_1_, registerst2_.id as id1_11_0_, registerst2_.active as active2_11_0_, registerst2_.sessionExpiry as sessionE3_11_0_, registerst2_.sessionString as sessionS4_11_0_ from User this_ left outer join RegisterStatus registerst2_ on this_.id=registerst2_.id where this_.email=?
20:41:07,736 WARN [org.springframework.security.authentication.event.LoggerListener] - Authentication event AuthenticationSuccessEvent: yahya.arshad#gmail.com; details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null
20:41:07,737 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities
20:41:07,737 DEBUG [org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices] - Did not send remember-me cookie (principal did not set parameter '_spring_security_remember_me')
20:41:07,737 DEBUG [org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices] - Remember-me login not requested.
20:41:07,737 WARN [org.springframework.security.authentication.event.LoggerListener] - Authentication event InteractiveAuthenticationSuccessEvent: yahya.arshad#gmail.com; details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null
20:41:09,038 DEBUG [org.springframework.security.web.session.HttpSessionEventPublisher] - Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.mortbay.jetty.servlet.HashSessionManager$Session:ap7q19yq3oul#1156618876]
20:41:09,039 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl#48f0accc: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,041 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
20:41:09,047 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - Checking match of request : '/secure/applications.html'; against '/resources/**'
20:41:09,047 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
20:41:09,047 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#48f0accc: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,047 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 4 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 5 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 6 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 7 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter] - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Secure object: FilterInvocation: URL: /secure/applications.html; Attributes: [permitAll]
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities
20:41:09,049 DEBUG [org.springframework.security.access.vote.AffirmativeBased] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#3aa8c31b, returned: 1
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Authorization successful
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - RunAsManager did not change Authentication object
20:41:09,049 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html reached end of additional filter chain; proceeding with original chain
20:41:09,053 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] - Chain processed normally
20:41:09,053 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
LoginSuccessHandler.java
public class LoginSuccessHandler implements AuthenticationSuccessHandler,
AuthenticationFailureHandler {
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication auth)
throws IOException, ServletException {
request.getSession(true).setAttribute("user", auth.getPrincipal());
request.setAttribute("user", auth.getPrincipal());
**response.sendRedirect("secure/applications.html");** // it does't redirect
}
public void onAuthenticationFailure(HttpServletRequest request,
HttpServletResponse response, AuthenticationException auth)
throws IOException, ServletException {
// TODO Auto-generated method stub
request.getSession(true).setAttribute("error", auth.getMessage());
request.setAttribute("error", auth.getMessage());
response.sendRedirect("login.html?error=true");
}
}
security-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<context:component-scan base-package="com.fyp.ptma" />
<beans:bean id="loggerListener"
class="org.springframework.security.authentication.event.LoggerListener" />
<global-method-security pre-post-annotations="enabled" />
<http pattern="/resources/**" security="none" />
<http use-expressions="true" auto-config="true">
<intercept-url pattern="/**" access="permitAll" />
<intercept-url pattern="/secure/*" access="isAuthenticated()" />
<intercept-url pattern="/j_spring_security_check"
access="permitAll" />
<intercept-url pattern="/processRegistration.html"
access="permitAll" />
<form-login login-page="/login.html" default-target-url="/secure/fileUpload.html"
authentication-failure-url="/login.html?error=true"
login-processing-url="/j_spring_security_check"
authentication-success-handler-ref="loginSuccessHandler"
/>
<logout />
<remember-me user-service-ref="userDetailsService" />
<access-denied-handler error-page="/login.html?error=true" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="plaintext" />
</authentication-provider>
</authentication-manager>
<beans:bean id="userDetailsService"
class="com.fyp.ptma.dao.service.UserDetailsServiceImpl">
</beans:bean>
<beans:bean id="loginSuccessHandler" class="com.fyp.ptma.security.LoginSuccessHandler" />
servlet-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing
infrastructure -->
<beans:bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver" />
<!-- Enables the Spring MVC #Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by #Controllers to .jsp resources
in the /WEB-INF/views directory -->
<beans:bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<context:component-scan base-package="com.fyp.ptma.controllers" />
</beans:beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/log4j.properties</param-value>
</context-param>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/root-context.xml
/WEB-INF/spring/appServlet/security-context.xml
/WEB-INF/hibernate/hibernate-config.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>120</session-timeout>
</session-config>
</web-app>
You should move
<intercept-url pattern="/**" access="permitAll" />
after
<intercept-url pattern="/secure/*" access="isAuthenticated()" />
in your security-context.xml

GWT Spring Security Integration (PURE GWT, NO JSP)

I´m using GWT 2.4 and Spring 3.1 and I want to secure my application with Spring Security. I was looking for a GWT-only solution without a separate JSP login page. I found only old sites using JSP to do login, so this thread could result in a solution to fully integrate GWT with Spring Security in a standard way. Anyway, if there is a reference where this has been done successfully already, this thread can be closed with a link to that reference of course.
So far here is my first approach:
applicationcontext-security.xml:
<http auto-config="false" use-expressions="true" entry-point-ref="customAuthenticationEntryPoint">
<intercept-url pattern="/ApplicationScaffold.html" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
</http>
<beans:bean id="customAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
c:loginFormUrl="/ApplicationScaffold.html" />
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider>
...
</authentication-provider>
</authentication-manager>
ApplicationScaffold.html (my application was created with Spring Roo) is my starting page containing the GWT login page.
web.xml:
<display-name>securitytest</display-name>
<description>Roo generated application</description>
<!-- Enable escaping of form submission contents -->
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:META-INF/spring/applicationContext*.xml</param-value>
</context-param>
<filter>
<filter-name>CharacterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>HttpMethodFilter</filter-name>
<filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
<filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HttpMethodFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Handles Spring requests -->
<servlet>
<servlet-name>securitytest</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>WEB-INF/spring/webmvc-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>requestFactory</servlet-name>
<servlet-class>com.securitytest.server.CustomRequestFactoryServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>securitytest</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>requestFactory</servlet-name>
<url-pattern>/gwtRequest</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>10</session-timeout>
</session-config>
The CustomRequestFactoryServlet class extends RequestFactoryServlet providing an additional constructor to resolve Spring services and should not be relevant to security issues.
After entering username and password on the GWT widget a login service is invoked (via RequestFactory) that simply does the following:
public String loginUser(String username, String password) {
UsernamePasswordAuthenticationToken token =
new UsernamePasswordAuthenticationToken(username, password);
Authentication authenticatedUser = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(authenticatedUser);
return username;
}
So when I enter a URL like ../fooooooo I expect my application to redirect me to the login page (ApplicationScaffold.html). But only the URL in the browser´s address bar is set to ../ApplicationScaffold.html and nothing more happens.
What am I doing wrong?
The stack trace says the following:
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 2 of 7 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 3 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[INFO] 2012-12-17 13:41:07,502 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 4 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[INFO] 2012-12-17 13:41:07,503 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
[INFO] 2012-12-17 13:41:07,503 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 5 of 7 in additional filter chain; firing Filter: 'SessionManagementFilter'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.session.SessionManagementFilter - Requested session ID1nkvhmubnkz6h is invalid.
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /fooooooooo at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/fooooooooo'; against '/applicationscaffold.html'
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /fooooooooo; Attributes: [hasRole('ROLE_USER')]
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#5f8d13b8, returned: -1
[INFO] 2012-12-17 13:41:07,504 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
[INFO] org.springframework.security.access.AccessDeniedException: Access is denied
...
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://127.0.0.1:8888/fooooooooo]
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point.
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.DefaultRedirectStrategy - Redirecting to 'http://127.0.0.1:8888/ApplicationScaffold.html'
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[INFO] 2012-12-17 13:41:07,506 [btpool0-0] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.mortbay.jetty.servlet.HashSessionManager$Session:q0k5u6clocpc#1530548245. A new one will be created.
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 2 of 7 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/fooooooooo; arg2=/ApplicationScaffold.html (property not equals)
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match
[INFO] 2012-12-17 13:41:07,543 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 3 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 4 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 5 of 7 in additional filter chain; firing Filter: 'SessionManagementFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/applicationscaffold.html'; against '/applicationscaffold.html'
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /ApplicationScaffold.html; Attributes: [permitAll]
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#5f8d13b8, returned: 1
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Authorization successful
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /ApplicationScaffold.html reached end of additional filter chain; proceeding with original chain
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter - Opening JPA EntityManager in OpenEntityManagerInViewFilter
[INFO] 2012-12-17 13:41:07,544 [btpool0-0] DEBUG org.hibernate.impl.SessionImpl - opened session at timestamp: 13557480675
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'securitytest' processing GET request for [/ApplicationScaffold.html]
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Looking up handler method for path /ApplicationScaffold.html
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Did not find handler method for [/ApplicationScaffold.html]
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Matching patterns for request [/ApplicationScaffold.html] are [/**]
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - URI Template variables for request [/ApplicationScaffold.html] are {}
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - Mapping [/ApplicationScaffold.html] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.DefaultServletHttpRequestHandler#3e3bfa58] and 1 interceptor
[INFO] 2012-12-17 13:41:07,545 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - Last-Modified value for [/ApplicationScaffold.html] is: -1
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'securitytest': assuming HandlerAdapter completed request handling
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.web.servlet.DispatcherServlet - Successfully completed request
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter - Closing JPA EntityManager in OpenEntityManagerInViewFilter
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.orm.jpa.EntityManagerFactoryUtils - Closing JPA EntityManager
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
[INFO] 2012-12-17 13:41:07,547 [btpool0-0] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 1 of 7 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.mortbay.jetty.servlet.HashSessionManager$Session:q0k5u6clocpc#1530548245. A new one will be created.
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 2 of 7 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
[INFO] 2012-12-17 13:41:07,583 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/fooooooooo; arg2=/applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html (property not equals)
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 3 of 7 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 4 of 7 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 5 of 7 in additional filter chain; firing Filter: 'SessionManagementFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 6 of 7 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.FilterChainProxy - /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html at position 7 of 7 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/applicationscaffold/c142d67e9948229be2b28e2a99e7c59a.cache.html'; against '/applicationscaffold.html'
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /applicationScaffold/C142D67E9948229BE2B28E2A99E7C59A.cache.html; Attributes: [hasRole('ROLE_USER')]
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#957e: RemoteIpAddress: 127.0.0.1; SessionId: q0k5u6clocpc; Granted Authorities: ROLE_ANONYMOUS
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#5f8d13b8, returned: -1
[INFO] 2012-12-17 13:41:07,584 [btpool0-0] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
[INFO] org.springframework.security.access.AccessDeniedException: Access is denied
Pure GWT solution:
Do not use http element at all (http tag from config namespace)
Define your AuthenticationRpcService
Add AuthenticationRpcService.authenticate(user,password) method
Inject into AuthenticationServiceImpl AuthenticationProvider bean from security-context.xml
Implement AuthenticationRpcService.authenticate(user,password) as :
User user = new User(login, password, true, true, true, true, new ArrayList<GrantedAuthority>());
Authentication auth = new UsernamePasswordAuthenticationToken(user, password,
new ArrayList<GrantedAuthority>());
try {
auth = this.authenticationProvider.authenticate(auth);
} catch (BadCredentialsException e) {
throw new ClientSideBadCredentialsException(e.getMessage(), e);
}
SecurityContext sc = new SecurityContextImpl();
sc.setAuthentication(auth);
SecurityContextHolder.setContext(sc);
Ensure that spring security filter chain is executed during processing of each your GWT RPC call (to be sure that SecurityContext populated into SecurityContextHolder).
Secure all business services with #RolesAllowed({ "ADMIN_ROLE", "USER_ROLE" }) annotations
Prepare your own ClientSideAcessDeniedException that can be used on client side
In a case of spring AcessDeniedException propogate ClientSideAcessDeniedException to client side
On client side set up UncaughtExceptionHandler via GWT.setUncaughtExceptionHandler
In UncaughtExceptionHandler detect CustomAcessDeniedException and then show error to user.
I've found that all you can protect in gwt using Spring Security are the RPC calls but as far as the gui you can't. Remember they are javascript so there is no url to define in the security configuration. That is why all examples have the jsp login page. You would then have to implement some type of client side security using the userContext for frontend .
You need to figure out why your user is considered anonymous (line 77 in stacktrace). I suppose Spring then sends another redirect (to the login) but the GWT callback doesn't know what to do with HTTP 302?

Resources