Develop Reference

'Access Denied' page Redirect are not working

My web project is based on Spring 3.2.5.RELEASE, JSF 2 and PrimeFaces 6. I'm using #PreAuthorize annotation on class level at service layer as below:
#Service("packageService")
#Transactional(readOnly = true)
#PreAuthorize("hasAnyRole('befit')")
public class PackageServiceImpl implements PackageService {
}
At JSF managed bean level, I don't have any #PreAuthorize. On #PostConstruct method, I have called couple methods from service layer which requires authorization.
At XHTML page, I use EL to get data from managed bean.
Security configuration as:
<sec:http auto-config="true" use-expressions="true">
<sec:access-denied-handler error-page="/access.xhtml"/>
<!-- Page level Spring Security : Intercept access to resources in /faces/** -->
<sec:intercept-url pattern="/faces/admin/*"
access="hasAnyRole('befit','admin')" />
<sec:intercept-url pattern="/faces/befit/*"
access="hasAnyRole('befit')" />
<sec:intercept-url pattern="/faces/online/*"
access="isAuthenticated()" />
Functionalities are working fine. If an user logged in 'less' role and try to access pages required 'more' roles, I do see 'Access Denied' exception from #PostConstruct method. But it doesn't navigate to access.xhtml page.
Note: I have tried using a bean to handle AccessDeniedException as
#Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
response.sendRedirect(response.encodeRedirectURL(request.getContextPath() + accessDeniedUrl));
request.getSession().setAttribute("message", "You are not authorized to access this resource.");
}
And I got the exception as below
cannot call sendredirect after the response has been committed servlet
Could you please advice what I miss?
Note: Updated with StackTrace
Oct 12, 2016 4:50:00 PM com.sun.faces.application.view.FaceletViewHandlingStrategy handleRenderException
SEVERE: Error Rendering View[/faces/befit/corporate/corporate_manage.xhtml]
com.sun.faces.mgbean.ManagedBeanCreationException: An error occurred performing resource injection on managed bean corporateManageMBean
at com.sun.faces.mgbean.BeanBuilder.invokePostConstruct(BeanBuilder.java:227)
at com.sun.faces.mgbean.BeanBuilder.build(BeanBuilder.java:103)
at com.sun.faces.mgbean.BeanManager.createAndPush(BeanManager.java:409)
at com.sun.faces.mgbean.BeanManager.create(BeanManager.java:269)
at com.sun.faces.el.ManagedBeanELResolver.resolveBean(ManagedBeanELResolver.java:257)
at com.sun.faces.el.ManagedBeanELResolver.getValue(ManagedBeanELResolver.java:117)
at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:176)
at com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:203)
at org.apache.el.parser.AstIdentifier.getValue(AstIdentifier.java:71)
at org.apache.el.parser.AstValue.getValue(AstValue.java:161)
at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:184)
at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:109)
at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:194)
at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:182)
at javax.faces.component.UIOutput.getValue(UIOutput.java:174)
at javax.faces.component.UIInput.getValue(UIInput.java:291)
at org.primefaces.util.ComponentUtils.getValueToRender(ComponentUtils.java:94)
at org.primefaces.util.ComponentUtils.getValueToRender(ComponentUtils.java:58)
at org.primefaces.component.inputtext.InputTextRenderer.encodeMarkup(InputTextRenderer.java:71)
at org.primefaces.component.inputtext.InputTextRenderer.encodeEnd(InputTextRenderer.java:52)
at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:920)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
at javax.faces.render.Renderer.encodeChildren(Renderer.java:176)
at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:890)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1856)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1859)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1859)
at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:458)
at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:134)
at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:120)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:219)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:659)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1083)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:640)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:631)
at com.itservicesdepot.befit.master.service.impl.CorporateServiceImpl$$EnhancerByCGLIB$$64cca414.fetchAll(<generated>)
at com.itservicesdepot.befit.master.controller.managedBean.CorporateManageMBean.init(CorporateManageMBean.java:62)
... 90 more
Oct 12, 2016 4:50:00 PM com.sun.faces.context.ExceptionHandlerImpl throwIt
INFO: Exception when handling error trying to reset the response.
com.sun.faces.mgbean.ManagedBeanCreationException: An error occurred performing resource injection on managed bean corporateManageMBean
at com.sun.faces.mgbean.BeanBuilder.invokePostConstruct(BeanBuilder.java:227)
at com.sun.faces.mgbean.BeanBuilder.build(BeanBuilder.java:103)
at com.sun.faces.mgbean.BeanManager.createAndPush(BeanManager.java:409)
at com.sun.faces.mgbean.BeanManager.create(BeanManager.java:269)
at com.sun.faces.el.ManagedBeanELResolver.resolveBean(ManagedBeanELResolver.java:257)
at com.sun.faces.el.ManagedBeanELResolver.getValue(ManagedBeanELResolver.java:117)
at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:176)
at com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:203)
at org.apache.el.parser.AstIdentifier.getValue(AstIdentifier.java:71)
at org.apache.el.parser.AstValue.getValue(AstValue.java:161)
at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:184)
at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:109)
at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:194)
at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:182)
at javax.faces.component.UIOutput.getValue(UIOutput.java:174)
at javax.faces.component.UIInput.getValue(UIInput.java:291)
at org.primefaces.util.ComponentUtils.getValueToRender(ComponentUtils.java:94)
at org.primefaces.util.ComponentUtils.getValueToRender(ComponentUtils.java:58)
at org.primefaces.component.inputtext.InputTextRenderer.encodeMarkup(InputTextRenderer.java:71)
at org.primefaces.component.inputtext.InputTextRenderer.encodeEnd(InputTextRenderer.java:52)
at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:920)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1863)
at javax.faces.render.Renderer.encodeChildren(Renderer.java:176)
at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:890)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1856)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1859)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1859)
at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:458)
at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:134)
at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:120)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:219)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:659)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1083)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:640)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.sun.faces.spi.InjectionProviderException
at com.sun.faces.vendor.WebContainerInjectionProvider.invokeAnnotatedMethod(WebContainerInjectionProvider.java:115)
at com.sun.faces.vendor.WebContainerInjectionProvider.invokePostConstruct(WebContainerInjectionProvider.java:95)
at com.sun.faces.mgbean.BeanBuilder.invokePostConstruct(BeanBuilder.java:221)
... 83 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.sun.faces.vendor.WebContainerInjectionProvider.invokeAnnotatedMethod(WebContainerInjectionProvider.java:113)
... 85 more
Caused by: org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:60)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:631)
at com.itservicesdepot.befit.master.service.impl.CorporateServiceImpl$$EnhancerByCGLIB$$64cca414.fetchAll(<generated>)
at com.itservicesdepot.befit.master.controller.managedBean.CorporateManageMBean.init(CorporateManageMBean.java:62)
... 90 more
Updated with Spring Security
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- Enable method level Spring Security by annotations -->
<sec:global-method-security pre-post-annotations="enabled" />
<sec:http auto-config="true" use-expressions="true">
<sec:access-denied-handler ref="accessDeniedHandler"/>
<!-- Page level Spring Security : Intercept access to resources in /faces/** -->
<sec:intercept-url pattern="/faces/editor/*"
access="hasAnyRole('editor,befit,admin')" />
<sec:intercept-url pattern="/faces/admin/*"
access="hasAnyRole('befit,admin')" />
<sec:intercept-url pattern="/faces/befit/*"
access="hasAnyRole('befit')" />
<sec:intercept-url pattern="/faces/online/*"
access="isAuthenticated()" />
<!-- Page level Spring Security : Intercept access to resources in /WEB-INF/templates/** -->
<sec:intercept-url pattern="/WEB-INF/templates/**"
access="permitAll" />
<!-- Page level Spring Security : Enable Primefaces -->
<sec:intercept-url pattern="/javax.faces.resource/**"
access="permitAll" />
<!-- Define login page for Spring Security -->
<sec:form-login login-page="/login.xhtml" />
<!-- Define logout properties for Spring Security -->
<sec:logout invalidate-session="true" delete-cookies="true"
logout-success-url="/landing.xhtml"></sec:logout>
</sec:http>
<!-- Set customUserDetailsService class as the authentication Manager for
Spring Security -->
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider
user-service-ref="authenticationServiceImpl">
<sec:password-encoder hash="plaintext"></sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>
<!-- Inject authentication Manager to masterSecurityBean -->
<bean id="loginMBean" name="loginMBean" class="com.itservicesdepot.befit.master.controller.managedBean.LoginMBean" scope="request">
<property name="authenticationManager" ref="authenticationManager"></property>
</bean>
<bean id="accessDeniedHandler" class="com.itservicesdepot.befit.master.controller.validator.MasterAccessDeniedHandler">
<property name="errorPage" value="/access.xhtml" />
</bean>
</beans>
public class MasterAccessDeniedHandler extends org.springframework.security.web.access.AccessDeniedHandlerImpl {
private final Logger logger = LoggerFactory.getLogger(MasterAccessDeniedHandler.class);
#Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
this.logger.info("redirect ");
super.handle(request, response, accessDeniedException);
}
}
Updated with CorporateManageMBean
#PostConstruct
public void init() {
String id = this.getParameterByName(AppConstant.ID);
if (StringUtils.isNotEmpty(id)) {
this.corporate = this.corporateService.fetchById(Long.valueOf(id));
this.header = this.getResourceByName("corporate.profile.label.modify.header");
}
else {
this.corporate = new CorporateEntity();
header = this.getResourceByName("corporate.profile.label.add.header");
}
// this call to corporateService will throw AccessDenied
this.corporates = this.corporateService.fetchAll();
this.packages = this.packageService.fetchAll();
The CorporateService as below
#Service("corporateService")
#Transactional(readOnly = true)
#PreAuthorize("hasAnyRole('befit')")
public class CorporateServiceImpl implements CorporateService {
#Override
public List<CorporateEntity> fetchAll() {
return this.corporateDAO.fetchAll();
}
}
Updated with web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<welcome-file-list>
<welcome-file>landing.xhtml</welcome-file>
</welcome-file-list>
<!-- All parameters -->
<context-param>
<param-name>primefaces.THEME</param-name>
<param-value>ultima-indigo</param-value>
</context-param>
<context-param>
<param-name>primefaces.FONT_AWESOME</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/log4j.xml</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml</param-value>
</context-param>
<context-param>
<param-name>facelets.DEVELOPMENT</param-name>
<param-value>true</param-value>
</context-param>
<!-- All defined Listeners -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<!-- All defined Servlets -->
<servlet>
<servlet-name>SpringMVC</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<!-- Mapping -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SpringMVC</servlet-name>
<url-pattern>*.action</url-pattern>
</servlet-mapping>
</web-app>

If I'm not mistaken, you gotta use the 'ROLE_' prefix and uppercase characters for your role.
If you just want to give access to one role, use
hasRole('ROLE_BEFIT').
If you want to give access to more than one, use
hasAnyRole('ROLE_BEFIT', 'ROLE_ADMIN').
Check the Spring Security manual, section Common Built-in Expressions.

Comment out <sec:access-denied-handler/> from Spring Security configuration and add following controller advice to handle AcessDeniedException and then redirect to access denied page.
#Component
#ControllerAdvice
public class ControllerBase {
#ExceptionHandler(value = AccessDeniedException.class)
public ModelAndView accessDenied() {
return new ModelAndView("redirect:access.xhtml");
}
}
In your configuration file declare a bean for your AccessDeniedHandler like this:
<http>
<access-denied-handler ref="accessDeniedHandler"/>
</http>
<beans:bean id="accessDeniedHandler" class="com.ia.security.AccessDeniedHandlerImpl">
<beans:property name="errorPage" value="/access.xhtml"/>
</beans:bean>
and then do something like this with your AccessDeniedHandler:
public class AccessDeniedHandlerImpl extends org.springframework.security.web.access.AccessDeniedHandlerImpl {
// SLF4J logger
private static final Logger logger = LoggerFactory.getLogger(AccessDeniedHandlerImpl.class);
#Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
logger.log("AccessDeniedException triggered!");
super.handle(request, response, accessDeniedException);
}
}
You are making a basic mistake here.
Use either Access Denied Handler inside XML to redirect to Access Denied Page or redirect from your AccessDeniedException handler. Don't use both.
Remove your AccessDeniedException handler and try then.
Redirection is already done by Access Denied Handler from XML and you are again trying to redirect, which is not possible.

Spring Security redirect to Login Page after successful authentication by giving access denied exception

Facing strange problem : Application work fine on HTTP but redirects to login page again once we add SLL certificate :
Below is code snippet from spring-security.xml
<security:http auto-config="false" use-expressions="true" access-denied-page="/pages/denied.rs" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true">
<security:intercept-url pattern="/pages/doLogin.rs" requires-channel="any" access="hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B'" />
<security:intercept-url pattern="/**" requires-channel="any" access="hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B')"/>
<security:logout invalidate-session="true" logout-success-url="/pages/login.rs"/>
<security:custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="applicationRequestFilter" />
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
<security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<security:session-management session-authentication-strategy-ref="sas" invalid-session-url="/pages/sessiontimeout.rs"/>
</security:http>
<bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />
<bean id="customAuthenticationSuccessHandler"
class="com.mycomapny.CustomAuthenticationSuccessHandler"
p:defaultTargetUrl="/pages/doLogin.rs" />
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/pages/login.rs" />
I have added SSL certificate in by JBOSS in standalone.xml as below:
<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="8443"/>
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">
<ssl name="selfsigned" password="password" certificate-key-file="D:\keystore.jks" protocol="TLSv1" verify-client="false"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="127.0.0.1"/>
<alias name="example.com"/>
</virtual-server>
<configuration>
<jsp-configuration development="true"/>
</configuration>
</subsystem>
When I tries to access my application using HTTPS URL like https://mydomain.com:8443/mywebapp/login.rs , it displays the user name password page.
After entering valid credentials, it goes to authentication manger and before redirecting to success handler URL /doLogin.rs, it give below exception and redirects again to login page :
15:31:57,674 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] () Checking match of request : '/pages/dologin.
rs'; against '/pages/dologin.rs'
15:31:57,675 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] () Secure object: FilterInvocat
ion: URL: /pages/doLogin.rs; Attributes: [hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B')]
15:31:57,675 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] () Previously Authenticated: or
g.springframework.security.authentication.AnonymousAuthenticationToken#90579aae: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: tr
ue; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#2eb76: RemoteIpAddress: my machine ip address; SessionId: MdlIOjDwbSdN+e9r0-
6CEkxJ; Granted Authorities: ROLE_ANONYMOUS
15:31:57,690 DEBUG [org.springframework.security.access.vote.AffirmativeBased] () Voter: org.springframework.security.web.access
.expression.WebExpressionVoter#1d80d50, returned: -1
15:31:57,691 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] () Returning cached instance of single
ton bean 'org.springframework.context.annotation.internalScheduledAnnotationProcessor'
15:31:57,692 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] () Returning cached instance of single
ton bean 'org.springframework.scheduling.config.ContextLifecycleScheduledTaskRegistrar#0'
15:31:57,693 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] () Returning cached instance of single
ton bean 'sessionRegistry'
15:31:57,693 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] () Access is denied (user is anonymous);
redirecting to authentication entry point: org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) [spring-security-core-3.1.4.RELEASE.jar:3.1.4.RE
LEASE]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206) [spring-se
curity-core-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) [spring-security-web
-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) [spring-security-we
b-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) [spring-security-web-3.1.4
.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) [spring-security-web-3.1.4.RELE
ASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) [spring-secu
rity-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:5
4) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) [spring-security-web-3.1.4.
RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java
:183) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) [spring-security-web-3.1.4.RELEASE.jar:
3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125) [spring-security-web-3.1.4.RELE
ASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-securi
ty-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144) [spring-security-web-3.1
.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.
RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69) [spring-security-config-3.1.4.RELEASE.j
ar:3.1.4.RELEASE]
at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58) [spring-security-config-3.1.4.RELEASE.jar:3.1.4.RELEASE
]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-3.2.3.RELEASE.jar:3.2.3.REL
EASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [spring-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.
Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-re
dhat-1]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) [spring-web-3.2.3.RELEASE.jar:3.2.
3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.
Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-re
dhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1
]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1
]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.0.Final-redhat-8.jar:7.2.0.Final
-redhat-8]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.0.Final-redhat-8.jar:7.2.0.Final
-redhat-8]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat
-8.jar:7.2.0.Final-redhat-8]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.F
inal-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at java.lang.Thread.run(Thread.java:619) [rt.jar:1.6.0_13]
We are using cookie header in response as httpOnly;Secure
I tried to add requires-channel="https" but it didn't worked either.

If you don't want this login-form to appear please remove the following maven-dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Hope this helps someone.

The problem is resolved : I was manually setting below header in my response to avoid security defects...due to this I was getting access denied exception.
I removed the below code and added at apache lavel and it worked fine.
String sessionid = request.getSession(true).getId();
resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
+ "; Secure; HttpOnly");
resp.setHeader("Expires", "Tue, 14 May 1985 00:00:00 GMT");
resp.setHeader("Last-Modified", new Date().toString());
resp.setHeader(
"Cache-Control",
"no-store, no-cache, no-store, must-revalidate, max-age=0, post-check=0, pre-check=0");
resp.setHeader("Pragma", "no-cache");
resp.addHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
resp.addHeader("strict-transport-security", "max-age=631138519");
resp.addHeader("x-xss-protection", "1; mode=block");

This error comes,if you have added (logback-classic/logback-classic) jar file in you lib.
Ex:
ch.qos.logback
logback-classic
${logback.version}
if you have mapped it or its dependacny jar then remove it to resolve "org.springframework.security.access.AccessDeniedException: Access is denied"

Getting "org.jasypt.exceptions.EncryptionOperationNotPossibleException" when trying to login

I'm using Jasypt 1.9.0, Spring 3.1.1.RELEASE, and Maven 3.0.3. When I enter a username and password on my login page and submit, I get the following error …
org.jasypt.exceptions.EncryptionOperationNotPossibleException
org.jasypt.digest.StandardByteDigester.matches(StandardByteDigester.java:1107)
org.jasypt.digest.StandardStringDigester.matches(StandardStringDigester.java:1052)
org.jasypt.util.password.ConfigurablePasswordEncryptor.checkPassword(ConfigurablePasswordEncryptor.java:252)
org.jasypt.spring.security3.PasswordEncoder.isPasswordValid(PasswordEncoder.java:207)
org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:64)
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:149)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:184)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:155)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
Here is the Spring security I have setup
<beans:bean id="bcProvider" class="org.bouncycastle.jce.provider.BouncyCastleProvider" />
<beans:bean id="jasyptPasswordEncryptor" class="org.jasypt.util.password.ConfigurablePasswordEncryptor">
<beans:property name="algorithm">
<beans:value>SHA-256</beans:value>
</beans:property>
<beans:property name="provider">
<beans:ref bean="bcProvider" />
</beans:property>
</beans:bean>
<!-- This Spring Security-friendly PasswordEncoder implementation will -->
<!-- wrap the PasswordEncryptor instance so that it can be used from -->
<!-- the security framework. -->
<beans:bean id="passwordEncoder" class="org.jasypt.spring.security3.PasswordEncoder">
<beans:property name="passwordEncryptor">
<beans:ref bean="jasyptPasswordEncryptor" />
</beans:property>
</beans:bean>
<authentication-manager alias="authenticationManager"
id="authenticationManager">
<authentication-provider user-service-ref="sbdUserDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
The Jasypt docs aren't very helpful and I don't know what else to check. Grateful for any help here. -

It's probably intentionally impossible to tell the cause of the error from the Jasypt library without debugging into it and finding the underlying exception. My guess would be you have an undigested password in the back end store (the most likely source of failures to compare digested passwords).

Spring Security remember-me services

I configured Spring Security with remember-me option.
<security:global-method-security secured-annotations="enabled" />
<security:http pattern="/login.html" security="none"/>
<security:http pattern="/signup.html" security="none"/>
<security:http pattern="/scripts/**" security="none"/>
<security:http pattern="/styles/**" security="none"/>
<security:http pattern="/images/**" security="none"/>
<security:http disable-url-rewriting="true" access-denied-page="/accessDenied.jsp">
<security:session-management>
<security:concurrency-control error-if-maximum-exceeded="false" max-sessions="10"/>
</security:session-management>
<security:form-login login-page="/login.html" login-processing-url="/login" authentication-failure-url="/login.html?login_error=1" default-target-url="/"/>
<security:intercept-url pattern='/**' access='ROLE_USER' />
<security:logout logout-url="/logout" logout-success-url="/"/>
<security:remember-me services-ref="rememberMeServices" />
</security:http>
and then the services itself:
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<property name="tokenRepository" ref="myTokenRepository" />
<property name="userDetailsService" ref="userDetailsService" />
<property name="key" value="myRememberMeKey" />
<property name="alwaysRemember" value="true" />
</bean>
<bean id="myTokenRepository" class="com.mytwitter.web.security.MyTokenRepository">
</bean>
I can see in my schema that tokens are inserted/updated/deleted in database. so this is not an issue.
but sign on fails:
2012-02-13 13:35:56,497 DEBUG [http-bio-8080-exec-5] org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Remember-me cookie detected - 2065616
2012-02-13 13:35:56,498 DEBUG [http-bio-8080-exec-5] org.springframework.data.mongodb.core.MongoTemplate - findOne using query: { "series" : "Ww2a8WsycNlGWxZRDubTnA=="} in db.collection: mytwitter.rememberMeTokens - 2065617
2012-02-13 13:35:56,500 DEBUG [http-bio-8080-exec-5] org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'org.springframework.security.core.session.SessionRegistryImpl#0' - 2065619
2012-02-13 13:35:56,500 DEBUG [http-bio-8080-exec-5] org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Refreshing persistent login token for user 'aaaa', series 'Ww2a8WsycNlGWxZRDubTnA==' - 2065619
2012-02-13 13:35:56,510 DEBUG [http-bio-8080-exec-5] org.springframework.data.mongodb.core.MongoTemplate - calling update using query: { "series" : "Ww2a8WsycNlGWxZRDubTnA=="} and update: { "$set" : { "tokenValue" : "u0m7/ze3DpDInv27+JuPdQ==" , "date" : { "$date" : "2012-02-13T11:35:56.500Z"}}} in collection: rememberMeTokens - 2065629
2012-02-13 13:35:56,511 DEBUG [http-bio-8080-exec-5] org.springframework.data.mongodb.core.MongoTemplate - findOne using query: { "nickname" : "aaaa"} in db.collection: mytwitter.users - 2065630
2012-02-13 13:35:56,512 DEBUG [http-bio-8080-exec-5] org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Remember-me cookie accepted - 2065631
2012-02-13 13:35:56,512 DEBUG [http-bio-8080-exec-5] org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.RememberMeAuthenticationProvider - 2065631
2012-02-13 13:35:56,513 DEBUG [http-bio-8080-exec-5] org.springframework.beans.factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'org.springframework.security.core.session.SessionRegistryImpl#0' - 2065632
2012-02-13 13:35:56,514 DEBUG [http-bio-8080-exec-5] org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter - SecurityContextHolder not populated with remember-me token, as AuthenticationManager rejected Authentication returned by RememberMeServices: 'org.springframework.security.authentication.RememberMeAuthenticationToken#5195b417: Principal: com.mytwitter.web.security.AuthUser#15880543; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'; invalidating remember-me token - 2065633
org.springframework.security.authentication.BadCredentialsException: The presented RememberMeAuthenticationToken does not contain the expected key
at org.springframework.security.authentication.RememberMeAuthenticationProvider.authenticate(RememberMeAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:102)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:679)
2012-02-13 13:35:56,529 DEBUG [http-bio-8080-exec-5] org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Interactive login attempt was unsuccessful. - 2065648
2012-02-13 13:35:56,529 DEBUG [http-bio-8080-exec-5] org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Cancelling cookie - 2065648
Actually what I do see as weird is that in line 2012-02-13 13:35:56,514 which prints Authentication object, SessionId is null. What am I missing?

The problem solved.
I should have add "key" property in remember-me parameter as well.
<security:remember-me services-ref="rememberMeServices" key="myRememberMeKey" />
and it should be the key with the same name as in "remeberMeServices" bean.

Spring Security remember-me re login fails

I'm trying to create remember-me based on persistent token approach feature. as my dataSource I have mongoDB. In order to store tokens in as collection I override PersistentTokenRepository class and it seems to be ok, but I can't login when I reopen my browser. I'm using mongoDB to store tokens, but it shouldn't be a problem all db layer functions work as expected.
My spring security configuration looks like this:
<security:global-method-security secured-annotations="enabled" />
<security:http pattern="/login.html" security="none"/>
<security:http pattern="/signup.html" security="none"/>
<security:http auto-config="true" access-denied-page="/accessDenied.jsp">
<security:form-login login-page="/login.html" login-processing-url="/login" authentication-failure-url="/login.html?login_error=1" default-target-url="/"/>
<security:http-basic/>
<security:intercept-url pattern='/**' access='ROLE_USER' />
<security:logout logout-url="/logout" logout-success-url="/"/>
<security:remember-me services-ref="rememberMeServices"/>
</security:http>
<bean id="userPassAuthFilterBeanPostProcessor"
class="com.mytwitter.web.security.UserPassAuthFilterBeanPostProcessor">
<property name="usernameParameter" value="username" />
<property name="passwordParameter" value="password" />
</bean>
<bean id="LoginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login" />
</bean>
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider" />
</list>
</property>
</bean>
<security:authentication-manager alias="authManager">
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder hash="md5"/>
</security:authentication-provider>
</security:authentication-manager>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<property name="tokenRepository" ref="myTokenRepository" />
<property name="userDetailsService" ref="userDetailsService" />
<property name="key" value="myRememberMeKey" />
<property name="alwaysRemember" value="true" />
</bean>
<bean id="myTokenRepository" class="com.mytwitter.web.security.MyTokenRepository">
</bean>
When I login correctly my token inserted into Database. I can see it clearly.
After I close the browser and trying re-login authentication fails.
There is no problem with mongoDB all queries executed successfully.
When I turn on debuging I see the following behavior:
2012-02-05 00:33:54,374 DEBUG [http-bio-8080-exec-7] org.springframework.security.web.FilterChainProxy - /index.jsp at position 7 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter' - 287265
2012-02-05 00:33:59,801 DEBUG [http-bio-8080-exec-7] org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Remember-me cookie detected - 292692
getting Token
2012-02-05 00:34:04,829 DEBUG [http-bio-8080-exec-7] org.springframework.data.mongodb.core.MongoTemplate - findOne using query: { "series" : "qhvYe8ZsDX+72ZbeNxSGzQ=="} in db.collection: xxx.rememberMeTokens - 297720
2012-02-05 00:34:21,471 DEBUG [http-bio-8080-exec-7] org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Refreshing persistent login token for user 'aaaa', series 'qhvYe8ZsDX+72ZbeNxSGzQ==' - 314362
Updating Token
2012-02-05 00:34:23,043 DEBUG [http-bio-8080-exec-7] org.springframework.data.mongodb.core.MongoTemplate - calling update using query: { "series" : "qhvYe8ZsDX+72ZbeNxSGzQ=="} and update: { "$set" : { "token" : "LVBRYo/vjEARdm262UA07g==" , "last_used" : { "$date" : "2012-02-04T22:34:22.333Z"}}} in collection: persistentRememberMeToken - 315934
2012-02-05 00:34:26,427 DEBUG [http-bio-8080-exec-7] org.springframework.data.mongodb.core.MongoTemplate - findOne using query: { "nickname" : "aaaa"} in db.collection: xxxx.users - 319318
2012-02-05 00:34:45,623 DEBUG [http-bio-8080-exec-7] org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices - Remember-me cookie accepted - 338514
2012-02-05 00:36:24,438 DEBUG [http-bio-8080-exec-7] org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.RememberMeAuthenticationProvider - 437329
2012-02-05 00:36:45,543 DEBUG [http-bio-8080-exec-7] org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter - SecurityContextHolder not populated with remember-me token, as AuthenticationManager rejected Authentication returned by RememberMeServices: 'org.springframework.security.authentication.RememberMeAuthenticationToken#7609e07a: Principal: com.mytwitter.web.security.AuthUser#3214512e; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER'; invalidating remember-me token - 458434
org.springframework.security.authentication.BadCredentialsException: The presented RememberMeAuthenticationToken does not contain the expected key
at org.springframework.security.authentication.RememberMeAuthenticationProvider.authenticate(RememberMeAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:102)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:679)
What am I missing?

Today after I reboot my laptop and started tomcat + eclipse it works ok and no error occurs. I'm quite confused with this behavior, but god gave me courage to accept things that I can't understand,but I believe that it has something to do with the old cookies for this site. Now when all of them expired it works fine.