Develop Reference

Spring security: Can not access target page after entering proper credentials

I am trying to create a basic Spring Security (3.0) application following the common tutorials from internet. However, even after entering configured credentials, login page is opening again. The debug logs show that the user is being authenticated as anonymous user. Please let me know what I am missing.
Here's my web.xml:-
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>Spring Security Example</display-name>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-security.xml</param-value>
</context-param>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
My spring-security.xml:-
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http >
<intercept-url pattern="/app/*"
access="ROLE_USER" />
<form-login login-page="/app/login/"
default-target-url="/app/home/"
authentication-failure-url="/app/login?error=true" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="sumit" password="1234"
authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
My login.jsp:-
<%# page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html>
<%#taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
<html>
<head>
<meta charset="ISO-8859-1">
<title>Login</title>
</head>
<body>
<h2>Login page</h2>
<form:form method="POST" action="../home" commandName="user">
Username: <form:input path="username" />
<br>
Password: <form:input path="password" />
<br>
<input type="submit" value="Login">
</form:form>
</body>
</html>
My Controller:-
package com.test.basicspring.controller;
import java.io.IOException;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import com.test.model.UserModel;
#Controller
#RequestMapping(value = "/app")
public class HelloWorldController {
private Logger logger = Logger.getLogger(HelloWorldController.class);
#RequestMapping(method = RequestMethod.GET, value = "/hello")
public void SayHello(HttpServletResponse response) {
System.out.println("Hello World");
logger.info("Logging Hello World");
try {
response.getWriter().write("Request completed");
} catch (IOException e) {
e.printStackTrace();
}
}
#RequestMapping(method = RequestMethod.GET, value = "/login")
public String login(Model modelMap) {
System.out.println("In login method");
modelMap.addAttribute("user", new UserModel());
return "login";
}
#RequestMapping(method = RequestMethod.POST, value = "/home")
public String home() {
System.out.println("Login successful");
return "";
}
}
Debug logs after submitting login credentials:-
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/app/home'; to: '/app/home'
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - Candidate is: '/app/home'; pattern is /**; matched=true
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 1 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter#26f6ad34'
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#4f884b44. A new one will be created.
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 2 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#7d0a1070'
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 3 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter#542dcf66'
DEBUG 2020-01-18 10:51:36,856 [http-nio-8080-exec-6] org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/springSecurityExample/app/hello; arg2=/springSecurityExample/app/home (property not equals)
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.savedrequest.HttpSessionRequestCache - saved request doesn't match
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 4 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter#6d55a0ba'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 5 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter#6ec0b31f'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#6fabe8e0: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F09C61DDA9D42B649B89CD650863A289; Granted Authorities: ROLE_ANONYMOUS'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 6 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter#1f29202'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 7 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter#77240701'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.FilterChainProxy - /app/home at position 8 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#72e500b4'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource - Converted URL to lowercase, from: '/app/home'; to: '/app/home'
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource - Candidate is: '/app/home'; pattern is /app/*; matched=true
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /app/home; Attributes: [ROLE_USER]
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#6fabe8e0: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F09C61DDA9D42B649B89CD650863A289; Granted Authorities: ROLE_ANONYMOUS
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter#4bb7d66d, returned: -1
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter#eb5417f, returned: 0
TRACE 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in Root WebApplicationContext: org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /app/home]
DEBUG 2020-01-18 10:51:36,857 [http-nio-8080-exec-6] org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied

I was able to make above code work by specifying action attribute and login-processing-url both to '/login'. With this configuration, spring activates inbuilt filter for username and password validation. Then, it goes to endpoint specified by default-target-url.

Getting 404 after oauth2 authentication success and an anonymous token

I am using oauth2 with springboot 1.5.6.RELEASE and I am using jdbc authentication with oauth2.
I added the property: security.oauth2.resource.filter-order = 3
1- AuthorizationServerConfigurerAdapter:
#Configuration
#EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
#Autowired
#Qualifier("authenticationManagerBean")
#Lazy
private AuthenticationManager authenticationManager;
#Autowired
private Environment env;
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager);
endpoints.authenticationManager(authenticationManager);
}
#Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource());
}
#Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
#Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource());
}
#Bean
public DataSource dataSource() {
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setDriverClassName(env.getProperty("spring.datasource.driver-class-name"));
dataSource.setUrl(env.getProperty("spring.datasource.url"));
dataSource.setUsername(env.getProperty("spring.datasource.username"));
dataSource.setPassword(env.getProperty("spring.datasource.password"));
return dataSource;
}
}
2- ResourceServerConfigurerAdapter
#EnableResourceServer
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/ws/**").authorizeRequests().anyRequest().authenticated();
}
}
3- SecurityConfig
#Configuration
#EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private UserDetailsService userDetailsService;
#Autowired
private CustomAuthenticationSuccessHandler successHandler;
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
.antMatchers("/", "/registerCompany", "/registerEmployee", "/jobs", "/returnPassword", "/resetPassword",
"/faces/public/**", "/resources/**", "/template/**", "/faces/fonts/*",
"/faces/javax.faces.resource/**", "/ws/**", "/login", "/oauth/**", "/error")
.permitAll().antMatchers("/admin/**", "/faces/admin/**").hasAuthority("ROLE_ADMIN")
.antMatchers("/employeeProfile", "/employeeMainPage", "/employeeAskJob").hasAuthority("ROLE_EMPLOYEE")
.antMatchers("/companyProfile", "/companyMainPage", "/companyPostJob", "/companySearch",
"/branchProfile")
.hasAnyAuthority("ROLE_COMPANY,ROLE_BRANCH,ROLE_ADMIN").anyRequest().fullyAuthenticated().and()
.formLogin().loginPage("/login").permitAll().successHandler(successHandler).failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password").and().logout().deleteCookies("JSESSIONID")
.logoutUrl("/logout").deleteCookies("remember-me").logoutSuccessUrl("/").permitAll().and().rememberMe();
// http.sessionManagement().invalidSessionUrl("/login?invalidSession");
// cache resources
http.headers().addHeaderWriter(new DelegatingRequestMatcherHeaderWriter(
new AntPathRequestMatcher("/javax.faces.resource/**"), new HeaderWriter() {
#Override
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
response.addHeader("Cache-Control", "private, max-age=86400");
}
})).defaultsDisabled();
}
#Override
#Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
#Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(11);
}
}
I am trying to generate a token using postman with a post request to url http://localhost:8082/dawam2/oauth/token?grant_type=password
and I use basic authentication and set the username=myclient_id and password=myclient_secret. So the header (Authorization : Basic Basic bXljbGllbnRfaWQ6bXljbGllbnRfc2VjcmV0) was generated
and I set the header Content-Type: application/x-www-form-urlencoded; charset=utf-8.
The response I am getting instead of a generated token :
!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Not Found</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.0.M18</h3></body></html>
Here are the debugging info:
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token']
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/oauth/token'
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - matched
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-09-26 15:32:16,833 DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#1d47c7a
2017-09-26 15:32:16,833 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2017-09-26 15:32:16,833 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/logout'
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /oauth/token' doesn't match 'POST /logout
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /oauth/token' doesn't match 'PUT /logout
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /oauth/token' doesn't match 'DELETE /logout
2017-09-26 15:32:16,834 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
2017-09-26 15:32:16,834 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2017-09-26 15:32:16,834 DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'myclient_id'
2017-09-26 15:32:16,834 DEBUG o.s.s.a.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2017-09-26 15:32:16,849 DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#d9cf8114: Principal: org.springframework.security.core.userdetails.User#6a9879e3: Username: myclient_id; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_EMPLOYEE
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#d9cf8114: Principal: org.springframework.security.core.userdetails.User#6a9879e3: Username: myclient_id; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_EMPLOYEE'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.s.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy#15d6aaa
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-09-26 15:32:16,850 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/oauth/token'; against '/oauth/token'
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /oauth/token?grant_type=password; Attributes: [fullyAuthenticated]
2017-09-26 15:32:16,850 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#d9cf8114: Principal: org.springframework.security.core.userdetails.User#6a9879e3: Username: myclient_id; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_EMPLOYEE; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_EMPLOYEE
2017-09-26 15:32:16,851 DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#14cb584, returned: 1
2017-09-26 15:32:16,851 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
2017-09-26 15:32:16,851 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
2017-09-26 15:32:16,851 DEBUG o.s.security.web.FilterChainProxy - /oauth/token?grant_type=password reached end of additional filter chain; proceeding with original chain
2017-09-26 15:32:16,853 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2017-09-26 15:32:16,853 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token']
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/oauth/token'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/token_key']
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/oauth/token_key'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/oauth/check_token']
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/oauth/check_token'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
2017-09-26 15:32:16,854 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-09-26 15:32:16,854 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/logout'
2017-09-26 15:32:16,854 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'POST /logout
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'PUT /logout
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'DELETE /logout
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'POST /login
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken#9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-09-26 15:32:16,855 DEBUG o.s.security.web.FilterChainProxy - /error?grant_type=password reached end of additional filter chain; proceeding with original chain
2017-09-26 15:32:16,856 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-09-26 15:32:16,856 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2017-09-26 15:32:16,856 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
How can I fix this issue?

The issue was related to Jersey configuration, it was stealing requests from oauth2, i had to reconfigure it with #ApplicationPath("/ws")
so the configuration now looks like :
#Configuration
#ApplicationPath("/ws")
public class JerseyConfig extends ResourceConfig {
public JerseyConfig() {
register(DawamService.class);
}
}
and my webservice implementation class like :
#Component
#Path("/dawam")
public class DawamService extends DawamServiceBase {
#GET
#Produces({ MediaType.TEXT_HTML })
#Path("/test")
public String getHTML() {
System.out.println("##### Welcome to test webservice #########");
return "Welcome to test webservice";
}
}

I have the same problem and I can fixed it.
In my case the reason was in the following:
My servlet-mapping for dispather servlet in web.xml
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
It means the all http requests for access to your resources should be started with '/api' (ex. /api/user/2 or /api/login) even if #RequestMapping points as '/user/{id}' or /login. When you request a token by oauth2/token URL, spring or other filters handle it, but dispatcherServlet could not find any controller corresponding to your request and we have 404 error.
To resolve this, I just added the one method to endpoints in AuthorizationServerConfiguration class.
#Configuration
#EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter
...
#Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore)
.prefix("/api") //<---- PREFIX WAS ADDED
.userApprovalHandler(userApprovalHandler)
.authenticationManager(authenticationManager);
}
...
}
I think the
.pathMapping("/oauth/token", "/api/oauth/token")
code instead of .prefix("/api") also can resolve the problem.
It changes request for getting the tokens.
After made change I get the tokens by URL
/api/oauth/token
Of course I can mistake but it works for me. Thanks.

An Authentication object was not found in the SecurityContext (Spring 2.5.2)

I'm using Spring 2.5.2 and same version of spring security.
Issue is, I login through the application and clears my browser cookies and refreshes the page application is redirected to the login page but at the back it throws following exception
DEBUG ExceptionTranslationFilter - Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
at org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at org.springframework.security.ui.SessionFixationProtectionFilter.doFilterHttp(SessionFixationProtectionFilter.java:52)
at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
Continue till at java.lang.Thread.run(Unknown Source)
After this exception application is redirected to the login page & after entering the login credentials
I have to click my login button twice to enter into the application.
After the first click console shows
DEBUG CptLogger - com.capgent.cpt.server.services.auth.LoginAuthenticationProvider Method invoked : additionalAuthenticationChecks isAuthenticated ? :false
DEBUG XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext#1d0d124]: org.springframework.security.event.authentication.AuthenticationSuccessEvent[source=org.springframework.security.providers.UsernamePasswordAuthenticationToken#862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer#bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails#0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN]
DEBUG AuthenticationProcessingFilter - Authentication success: org.springframework.security.providers.UsernamePasswordAuthenticationToken#862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer#bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails#0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN
DEBUG AuthenticationProcessingFilter - Updated SecurityContextHolder to contain the following Authentication: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken#862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer#bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails#0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN'
DEBUG SessionUtils - Invalidating session with Id '6693D3BCE880D6339D9D149F44637952' and migrating attributes.
DEBUG SessionUtils - Started new session: E772A0D1441C079B2ACD3698F68AF63C
DEBUG AuthenticationProcessingFilter - Redirecting to target URL from HTTP Session (or default): http://localhost:8090/resources/com.capgent.cpt.Main/Main.jsp
DEBUG omTokenBasedRemembermeServices - Did not send remember-me cookie (principal did not set parameter '_spring_security_remember_me')
DEBUG omTokenBasedRemembermeServices - Remember-me login not requested.
DEBUG XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext#1d0d124]: org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent[source=org.springframework.security.providers.UsernamePasswordAuthenticationToken#862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer#bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails#0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN]
DEBUG essionContextIntegrationFilter - SecurityContext stored to HttpSession: 'org.springframework.security.context.SecurityContextImpl#862413dc: Authentication: org.springframework.security.providers.UsernamePasswordAuthenticationToken#862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer#bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails#0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN'
DEBUG essionContextIntegrationFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG RequestContextFilter - Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade#1d03700
DEBUG nsactionSynchronizationManager - Removed value [org.springframework.orm.hibernate3.SessionHolder#1c9dea3] for key [org.hibernate.impl.SessionFactoryImpl#42c282] from thread [http-8090-Processor25]
DEBUG OpenSessionInViewFilter - Closing single Hibernate Session in OpenSessionInViewFilter
DEBUG SessionFactoryUtils - Closing Hibernate Session
DEBUG ConnectionManager - releasing JDBC connection [ (open PreparedStatements: 0, globally: 0) (open ResultSets: 0, globally: 0)]
DEBUG ConnectionManager - transaction completed on session with on_close connection release mode; be sure to close the session to release JDBC resources!
DEBUG OpenSessionInViewFilter - Using SessionFactory 'cptSessionFactory' for OpenSessionInViewFilter
DEBUG DefaultListableBeanFactory - Returning cached instance of singleton bean 'cptSessionFactory'
DEBUG OpenSessionInViewFilter - Opening single Hibernate Session in OpenSessionInViewFilter
DEBUG SessionFactoryUtils - Opening Hibernate Session
DEBUG SessionImpl - opened session at timestamp: 13938439638
DEBUG nsactionSynchronizationManager - Bound value [org.springframework.orm.hibernate3.SessionHolder#862557] for key [org.hibernate.impl.SessionFactoryImpl#42c282] to thread [http-8090-Processor25]
DEBUG RequestContextFilter - Bound request context to thread: org.apache.catalina.connector.RequestFacade#1d03700
DEBUG FilterChainProxy - Converted URL to lowercase, from: '/com.capgent.cpt.main/main.jsp'; to: '/com.capgent.cpt.main/main.jsp'
DEBUG FilterChainProxy - Candidate is: '/com.capgent.cpt.main/main.jsp'; pattern is /ssoerror.html*; matched=false
DEBUG FilterChainProxy - Converted URL to lowercase, from: '/com.capgent.cpt.main/main.jsp'; to: '/com.capgent.cpt.main/main.jsp'
DEBUG FilterChainProxy - Candidate is: '/com.capgent.cpt.main/main.jsp'; pattern is /; matched=true
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
DEBUG essionContextIntegrationFilter - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT to associate with SecurityContextHolder: 'org.springframework.security.context.SecurityContextImpl#862413dc: Authentication: org.springframework.security.providers.UsernamePasswordAuthenticationToken#862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer#bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails#0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN'
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 2 of 10 in additional filter chain; firing Filter: 'com.capgent.cpt.server.services.auth.CantrexSsoProcessingFilter[ order=600; ]'
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 3 of 10 in additional filter chain; firing Filter: 'com.capgent.cpt.server.services.auth.DnbiSsoProcessingFilter[ order=600; ]'
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 4 of 10 in additional filter chain; firing Filter: 'com.capgent.cpt.server.services.auth.OpenIdAuthenticationProcessingFilter[ order=800; ]'
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]'
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
DEBUG SavedRequest - pathInfo: both null (property equals)
DEBUG SavedRequest - queryString: both null (property equals)
DEBUG SavedRequest - requestURI: arg1=/resources/com.capgent.cpt.Main/Main.jsp; arg2=/resources/com.capgent.cpt.Main/Main.jsp (property equals)
DEBUG SavedRequest - serverPort: arg1=8090; arg2=8090 (property equals)
DEBUG SavedRequest - requestURL: arg1=http://localhost:8090/resources/com.capgent.cpt.Main/Main.jsp; arg2=http://localhost:8090/resources/com.capgent.cpt.Main/Main.jsp (property equals)
DEBUG SavedRequest - scheme: arg1=http; arg2=http (property equals)
DEBUG SavedRequest - serverName: arg1=localhost; arg2=localhost (property equals)
DEBUG SavedRequest - contextPath: arg1=/resources; arg2=/resources (property equals)
DEBUG SavedRequest - servletPath: arg1=/com.capgent.cpt.Main/Main.jsp; arg2=/com.capgent.cpt.Main/Main.jsp (property equals)
DEBUG SavedRequestAwareWrapper - Wrapper replaced; SavedRequest was: SavedRequest[http://localhost:8090/resources/com.capgent.cpt.Main/Main.jsp]
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1200; ]'
DEBUG RememberMeProcessingFilter - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.providers.UsernamePasswordAuthenticationToken#862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer#bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails#0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN'
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]'
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.SessionFixationProtectionFilter[ order=1600; ]'
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor#11ca33b'
DEBUG lterInvocationDefinitionSource - Converted URL to lowercase, from: '/com.capgent.cpt.main/main.jsp'; to: '/com.capgent.cpt.main/main.jsp'
DEBUG lterInvocationDefinitionSource - Candidate is: '/com.capgent.cpt.main/main.jsp'; pattern is //*main.jsp; matched=true
DEBUG AbstractSecurityInterceptor - Secure object: FilterInvocation: URL: /com.capgent.cpt.Main/Main.jsp; ConfigAttributes: [ROLE_ADMIN]
DEBUG AbstractSecurityInterceptor - Previously Authenticated: org.springframework.security.providers.UsernamePasswordAuthenticationToken#862413dc: Principal: com.capgent.cpt.server.services.auth.UserDetailsContainer#bc1ebd; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails#0: RemoteIpAddress: 127.0.0.1; SessionId: 6693D3BCE880D6339D9D149F44637952; Granted Authorities: ROLE_ADMIN
DEBUG AbstractSecurityInterceptor - Authorization successful
DEBUG XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext#1d0d124]: org.springframework.security.event.authorization.AuthorizedEvent[source=FilterInvocation: URL: /com.capgent.cpt.Main/Main.jsp]
DEBUG AbstractSecurityInterceptor - RunAsManager did not change Authentication object
DEBUG FilterChainProxy - /com.capgent.cpt.Main/Main.jsp reached end of additional filter chain; proceeding with original chain
DEBUG JspServlet - JspEngine --> /com.capgent.cpt.Main/Main.jsp
DEBUG JspServlet - ServletPath: /com.capgent.cpt.Main/Main.jsp
DEBUG JspServlet - PathInfo: null
DEBUG JspServlet - RealPath: D:\springworkspace.metadata.plugins\org.eclipse.wst.server.core\tmp3\wtpwebapps\capgentspring\com.capgent.cpt.Main\Main.jsp
DEBUG JspServlet - RequestURI: /resources/com.capgent.cpt.Main/Main.jsp
DEBUG JspServlet - QueryString: null

"Issue is, I login through the application and clears my browser cookies and refreshes the page application is redirected to the login page"
Yes.It is the Normal behavior. Because a new session will be started from there since the old session was invalidated/closed.
"but at the back it throws following exception"
Yes.It will, because it tries to revalidate the user info/session when you refresh the page.Since you have already cleared the cookies, it will fail.

Setting the <form-login login-page="/Login.jsp" authentication-failure-url="/LoginHandler.jsp" always-use-default-target="true" default-target-url="/LoginHandler.jsp"/>
has solved my issue earlier the value was alway-use-default-target="false"

Spring Security JavaConfig with HTTP Basic and JSR-250: 403 Forbidden

How the Configuration should look like when using #RolesAllowed Annotation?
I don't need any auth at my webpage as there's no login or anything else. Only the admin panel should have an http basic auth.
This is my current code:
public class WebAppInitializer extends AbstractSecurityWebApplicationInitializer {
#Override
public void beforeSpringSecurityFilterChain(ServletContext servletContext) {
AnnotationConfigWebApplicationContext rootContext = new AnnotationConfigWebApplicationContext();
rootContext.getEnvironment().setDefaultProfiles("production");
rootContext.scan("com.xxx.config");
container.addListener(new ContextLoaderListener(rootContext));
ServletRegistration.Dynamic servlet = container.addServlet("DispatcherServlet", DispatcherServlet.class);
servlet.setInitParameter("contextConfigLocation", "");
servlet.setLoadOnStartup(1);
servlet.addMapping("/");
FilterRegistration charEncodingfilterReg = container.addFilter("CharacterEncodingFilter", CharacterEncodingFilter.class);
charEncodingfilterReg.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");
charEncodingfilterReg.setInitParameter("encoding", "UTF-8");
charEncodingfilterReg.setInitParameter("forceEncoding", "true");
}
}
#Controller
#RequestMapping("admin")
#RolesAllowed("admin")
public class AdminController {
// ...
}
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
private Environment env;
private static final Logger log = LoggerFactory.getLogger(SecurityConfig.class);
#Bean
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().realmName(env.getProperty("adminRealm"));
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
// Output: DEBUG SecurityConfig - Register credentials for roles user, admin: admin:admin
log.debug("Register credentials for roles user, admin: " + env.getProperty("adminUsername") + ":" + env.getProperty("adminPassword"));
auth.inMemoryAuthentication().withUser(env.getProperty("adminUsername")).password(env.getProperty("adminPassword")).roles("user", "admin");
}
}
But after the login with the correct credentials I'm just getting a HTTP 403.
Log while requesting the admin panel:
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/webjars/fancybox/jquery.fancybox.css at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG FilterChainProxy - /resources/webjars/fancybox/jquery.fancybox.css at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG FilterChainProxy - /resources/webjars/fancybox/jquery.fancybox.css reached end of additional filter chain; proceeding with original chain
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG DispatcherServlet - Taking snapshot of request attributes before include
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/webjars/fancybox/jquery.fancybox.css
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/webjars/fancybox/jquery.fancybox.css] are [/resources/**]
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/webjars/fancybox/jquery.fancybox.css] are {}
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/webjars/fancybox/jquery.fancybox.css] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG DispatcherServlet - Last-Modified value for [/resources/webjars/fancybox/jquery.fancybox.css] is: -1
DEBUG ResourceHttpRequestHandler - Trying relative path [webjars/fancybox/jquery.fancybox.css] against base location: ServletContext resource [/resources/**]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG ResourceHttpRequestHandler - Determined media type 'text/css' for ServletContext resource [/resources/webjars/fancybox/jquery.fancybox.css]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Restoring snapshot of request attributes after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.HandlerMapping.introspectTypeLevelMapping] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.FLASH_MAP_MANAGER] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.THEME_SOURCE] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.THEME_RESOLVER] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.CONTEXT] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.HandlerMapping.pathWithinHandlerMapping] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.OUTPUT_FLASH_MAP] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.HandlerMapping.bestMatchingPattern] after include
DEBUG DispatcherServlet - Removing attribute [org.springframework.web.servlet.DispatcherServlet.LOCALE_RESOLVER] after include
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Skipping processor: ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG BenchmarkProcessorDecorator - StopWatch '': running time (millis) = 0
-----------------------------------------
ms % Task name
-----------------------------------------
00000 � Using ro.isdc.wro.extensions.processor.css.LessCssProcessor#2377a016
DEBUG ProcessorDecorator - Applying processor: ro.isdc.wro.model.resource.processor.impl.css.CssUrlRewritingProcessor#76ec1185
...much wro4j stuff...
DEBUG BenchmarkProcessorDecorator - StopWatch '': running time (millis) = 2770
-----------------------------------------
ms % Task name
-----------------------------------------
02770 100% Using ro.isdc.wro.model.resource.processor.impl.css.JawrCssMinifierProcessor#2c8e5aa6
DEBUG DefaultSynchronizedCacheStrategyDecorator - found content: .clearfix{*zoom:1}.clearfix...
DEBUG DefaultSynchronizedCacheStrategyDecorator - Content to fingerprint: [.clearfix{*zoom:1}.clearfix...]
DEBUG AbstractDigesterHashStrategy - SHA1HashStrategy hash: 51eda04c354d73243fa387841c9d888bbeb4a201
DEBUG DefaultSynchronizedCacheStrategyDecorator - computed entry: hash: 51eda04c354d73243fa387841c9d888bbeb4a201
DEBUG ResourceBundleProcessor - ETag hash detected: "51eda04c354d73243fa387841c9d888bbeb4a201". Sending 304 status code
DEBUG WroFilter - Disable Cache is true. Destroying model...
DEBUG DefaultWroModelFactoryDecorator - Destroy model
DEBUG DefaultResourceAuthorizationManager - clear.
DEBUG DefaultResourceAuthorizationManager - clear.
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG FilterChainProxy - /resources/img/logo.png at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#80a4fdc5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/logo.png at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51879f03
DEBUG FilterChainProxy - /resources/img/logo.png at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG AntPathRequestMatcher - Checking match of request : '/resources/img/logo.png'; against '/logout'
DEBUG FilterChainProxy - /resources/img/logo.png at position 6 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/logo.png at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG FilterChainProxy - /resources/img/logo.png at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG FilterChainProxy - /resources/img/logo.png reached end of additional filter chain; proceeding with original chain
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/img/logo.png]
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/img/logo.png
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/img/logo.png]
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/img/logo.png] are [/resources/**]
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/img/logo.png] are {}
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/img/logo.png] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG DispatcherServlet - Last-Modified value for [/resources/img/logo.png] is: -1
DEBUG ResourceHttpRequestHandler - Trying relative path [img/logo.png] against base location: ServletContext resource [/resources/**]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/img/logo.png]
DEBUG ResourceHttpRequestHandler - Determined media type 'image/png' for ServletContext resource [/resources/img/logo.png]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG FilterChainProxy - /resources/img/eagle.png at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#80a4fdc5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51879f03
DEBUG FilterChainProxy - /resources/img/eagle.png at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG AntPathRequestMatcher - Checking match of request : '/resources/img/eagle.png'; against '/logout'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 6 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG FilterChainProxy - /resources/img/eagle.png reached end of additional filter chain; proceeding with original chain
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/img/eagle.png]
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/img/eagle.png
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#80a4fdc5: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher#51879f03
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG AntPathRequestMatcher - Checking match of request : '/resources/webjars/font/fontawesome-webfont.woff'; against '/logout'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 6 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/img/eagle.png]
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 9 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/img/eagle.png] are [/resources/**]
DEBUG AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#80a4fdc5: Principal: org.springframework.security.core.userdetails.User#586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_admin,ROLE_user; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#12afc: RemoteIpAddress: 127.0.0.1; SessionId: 5973DDB69FFF44B3B9AD6077DFD7B1ED; Granted Authorities: ROLE_admin, ROLE_user'
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/img/eagle.png] are {}
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 10 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/img/eagle.png] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 at position 11 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG DispatcherServlet - Last-Modified value for [/resources/img/eagle.png] is: -1
DEBUG FilterChainProxy - /resources/webjars/font/fontawesome-webfont.woff?v=3.2.1 reached end of additional filter chain; proceeding with original chain
DEBUG ResourceHttpRequestHandler - Trying relative path [img/eagle.png] against base location: ServletContext resource [/resources/**]
DEBUG DispatcherServlet - DispatcherServlet with name 'DispatcherServlet' processing GET request for [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/img/eagle.png]
DEBUG ResourceHttpRequestHandler - Determined media type 'image/png' for ServletContext resource [/resources/img/eagle.png]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG RequestMappingHandlerMapping - Looking up handler method for path /resources/webjars/font/fontawesome-webfont.woff
DEBUG RequestMappingHandlerMapping - Did not find handler method for [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG SimpleUrlHandlerMapping - Matching patterns for request [/resources/webjars/font/fontawesome-webfont.woff] are [/resources/**]
DEBUG SimpleUrlHandlerMapping - URI Template variables for request [/resources/webjars/font/fontawesome-webfont.woff] are {}
DEBUG SimpleUrlHandlerMapping - Mapping [/resources/webjars/font/fontawesome-webfont.woff] to HandlerExecutionChain with handler [org.springframework.web.servlet.resource.ResourceHttpRequestHandler#2f096210] and 1 interceptor
DEBUG DispatcherServlet - Last-Modified value for [/resources/webjars/font/fontawesome-webfont.woff] is: -1
DEBUG ResourceHttpRequestHandler - Trying relative path [webjars/font/fontawesome-webfont.woff] against base location: ServletContext resource [/resources/**]
DEBUG ResourceHttpRequestHandler - Found matching resource: ServletContext resource [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG ResourceHttpRequestHandler - Determined media type 'application/x-font-woff' for ServletContext resource [/resources/webjars/font/fontawesome-webfont.woff]
DEBUG DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'DispatcherServlet': assuming HandlerAdapter completed request handling
DEBUG DispatcherServlet - Successfully completed request
DEBUG ExceptionTranslationFilter - Chain processed normally
DEBUG SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Permissions:
$ cd ~/workspace/xxxxx/target/classes && ls -l . && ls -l META-INF && ls -l META-INF/services && ls -l properties && ls -l properties/common && ls -l properties/development
insgesamt 76
drwxrwxr-x 4 danny danny 4096 Nov 12 17:57 com
-rw-rw-r-- 1 danny danny 19074 Nov 12 17:57 import.sql
-rw-rw-r-- 1 danny danny 519 Nov 14 22:16 logback.xml
drwxrwxr-x 3 danny danny 4096 Nov 12 17:57 META-INF
drwxrwxr-x 5 danny danny 4096 Nov 12 17:57 properties
-rw-rw-r-- 1 danny danny 2215 Nov 12 17:57 tiles.xml
-rw-rw-r-- 1 danny danny 2444 Nov 12 17:57 wro.xml
insgesamt 4
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 services
insgesamt 24
-rw-rw-r-- 1 danny danny 34 Nov 12 17:57 javax.servlet.ServletContainerInitializer
-rw-rw-r-- 1 danny danny 57 Nov 12 17:57 ro.isdc.wro.model.spi.ModelFactoryProvider
insgesamt 12
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 common
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 development
drwxrwxr-x 2 danny danny 4096 Nov 12 17:57 production
insgesamt 48
-rw-rw-r-- 1 danny danny 737 Nov 12 17:57 application.properties
-rw-rw-r-- 1 danny danny 57 Nov 12 17:57 hibernate.properties
-rw-rw-r-- 1 danny danny 88 Nov 12 17:57 jdbc.properties
-rw-rw-r-- 1 danny danny 125 Nov 12 17:57 wro.properties
insgesamt 48
-rw-rw-r-- 1 danny danny 142 Nov 12 17:57 application.properties
-rw-rw-r-- 1 danny danny 53 Nov 12 17:57 hibernate.properties
-rw-rw-r-- 1 danny danny 35 Nov 12 17:57 jdbc.properties
-rw-rw-r-- 1 danny danny 17 Nov 12 17:57 wro.properties

As you are using the default authentication manager your rolenames must be prefixed with "ROLE_" to be matched.

Spring doesn't Reject Protected Url access

I have implemented spring security it was working fine but suddenly it stopped working.
Now when I try to access a protected url it doesn't reject, it allows me to open url.
when I try to login with valid user it does call loginSuccessHandler but doesn't redirect to secure/applications.html page.
Sorry it is bit lengthy detail, I am really stuck :(.
Spring Logging
20:41:04,555 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - Checking match of request : '/j_spring_security_check'; against '/resources/**'
20:41:04,556 DEBUG [org.springframework.security.web.FilterChainProxy] - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
20:41:04,556 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - No HttpSession currently exists
20:41:04,556 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - No SecurityContext was available from the HttpSession: null. A new one will be created.
20:41:04,556 DEBUG [org.springframework.security.web.FilterChainProxy] - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
20:41:04,556 DEBUG [org.springframework.security.web.FilterChainProxy] - /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
20:41:04,556 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] - Request is to process authentication
20:41:04,557 DEBUG [org.springframework.security.authentication.ProviderManager] - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
Hibernate: select this_.id as id1_12_1_, this_.date as date2_12_1_, this_.email as email3_12_1_, this_.firstName as firstNam4_12_1_, this_.lastName as lastName5_12_1_, this_.password as password6_12_1_, this_.phoneNumber as phoneNum7_12_1_, this_.role as role8_12_1_, registerst2_.id as id1_11_0_, registerst2_.active as active2_11_0_, registerst2_.sessionExpiry as sessionE3_11_0_, registerst2_.sessionString as sessionS4_11_0_ from User this_ left outer join RegisterStatus registerst2_ on this_.id=registerst2_.id where this_.email=?
20:41:07,736 WARN [org.springframework.security.authentication.event.LoggerListener] - Authentication event AuthenticationSuccessEvent: yahya.arshad#gmail.com; details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null
20:41:07,737 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities
20:41:07,737 DEBUG [org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices] - Did not send remember-me cookie (principal did not set parameter '_spring_security_remember_me')
20:41:07,737 DEBUG [org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices] - Remember-me login not requested.
20:41:07,737 WARN [org.springframework.security.authentication.event.LoggerListener] - Authentication event InteractiveAuthenticationSuccessEvent: yahya.arshad#gmail.com; details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null
20:41:09,038 DEBUG [org.springframework.security.web.session.HttpSessionEventPublisher] - Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.mortbay.jetty.servlet.HashSessionManager$Session:ap7q19yq3oul#1156618876]
20:41:09,039 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl#48f0accc: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,041 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
20:41:09,047 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - Checking match of request : '/secure/applications.html'; against '/resources/**'
20:41:09,047 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
20:41:09,047 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl#48f0accc: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,047 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 3 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 4 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 5 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 6 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 7 of 11 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter] - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
20:41:09,048 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Secure object: FilterInvocation: URL: /secure/applications.html; Attributes: [permitAll]
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#48f0accc: Principal: com.fyp.ptma.security.AuthorisedUser#48f0db60: Username: yahya.arshad#gmail.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#ffff8868: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: null; Not granted any authorities
20:41:09,049 DEBUG [org.springframework.security.access.vote.AffirmativeBased] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#3aa8c31b, returned: 1
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - Authorization successful
20:41:09,049 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - RunAsManager did not change Authentication object
20:41:09,049 DEBUG [org.springframework.security.web.FilterChainProxy] - /secure/applications.html reached end of additional filter chain; proceeding with original chain
20:41:09,053 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] - Chain processed normally
20:41:09,053 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
LoginSuccessHandler.java
public class LoginSuccessHandler implements AuthenticationSuccessHandler,
AuthenticationFailureHandler {
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication auth)
throws IOException, ServletException {
request.getSession(true).setAttribute("user", auth.getPrincipal());
request.setAttribute("user", auth.getPrincipal());
**response.sendRedirect("secure/applications.html");** // it does't redirect
}
public void onAuthenticationFailure(HttpServletRequest request,
HttpServletResponse response, AuthenticationException auth)
throws IOException, ServletException {
// TODO Auto-generated method stub
request.getSession(true).setAttribute("error", auth.getMessage());
request.setAttribute("error", auth.getMessage());
response.sendRedirect("login.html?error=true");
}
}
security-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<context:component-scan base-package="com.fyp.ptma" />
<beans:bean id="loggerListener"
class="org.springframework.security.authentication.event.LoggerListener" />
<global-method-security pre-post-annotations="enabled" />
<http pattern="/resources/**" security="none" />
<http use-expressions="true" auto-config="true">
<intercept-url pattern="/**" access="permitAll" />
<intercept-url pattern="/secure/*" access="isAuthenticated()" />
<intercept-url pattern="/j_spring_security_check"
access="permitAll" />
<intercept-url pattern="/processRegistration.html"
access="permitAll" />
<form-login login-page="/login.html" default-target-url="/secure/fileUpload.html"
authentication-failure-url="/login.html?error=true"
login-processing-url="/j_spring_security_check"
authentication-success-handler-ref="loginSuccessHandler"
/>
<logout />
<remember-me user-service-ref="userDetailsService" />
<access-denied-handler error-page="/login.html?error=true" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="plaintext" />
</authentication-provider>
</authentication-manager>
<beans:bean id="userDetailsService"
class="com.fyp.ptma.dao.service.UserDetailsServiceImpl">
</beans:bean>
<beans:bean id="loginSuccessHandler" class="com.fyp.ptma.security.LoginSuccessHandler" />
servlet-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing
infrastructure -->
<beans:bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver" />
<!-- Enables the Spring MVC #Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by #Controllers to .jsp resources
in the /WEB-INF/views directory -->
<beans:bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<context:component-scan base-package="com.fyp.ptma.controllers" />
</beans:beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/log4j.properties</param-value>
</context-param>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/root-context.xml
/WEB-INF/spring/appServlet/security-context.xml
/WEB-INF/hibernate/hibernate-config.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>120</session-timeout>
</session-config>
</web-app>

You should move
<intercept-url pattern="/**" access="permitAll" />
after
<intercept-url pattern="/secure/*" access="isAuthenticated()" />
in your security-context.xml