Develop Reference

Login not working after setting cookies?

Ive just set custom cookie values for my application with Spring.
On my web.xml I added this:
<session-config>
<cookie-config>
<domain>.127.0.0.1</domain> I want to run my app in localhost:8949/administrator
<path>/administrator</path>
<secure>false</secure>
<http-only>true</http-only>
</cookie-config>
</session-config>
So, the login form appears and I log in, creates the session but returns me to the login page.
I see 2 requests with differente jsessionid
one at j_spring_security_check and other at administrator/ and the request for the file login;jsessionid=ASDF...
My question, is this problem due a misconfiguration on my cookie? Could be that the specified path is not the correct? in that case, how can I specify the domain with a port? or the path is incorrect?
Any idea?

How to disable the UsernamePasswordAuthenticationFilter in Spring Security 4

I'm migrating a JSF application from Spring Security 3.2 to 4.0.1. This version changes many default urls, for example the default login url to /login.
The application has its own login page (using JSF AJAX) and it is still displayed when calling /login, but all POST-Requests to this URL (and so all AJAX-Requests from the Login-Page) are captured by the UsernamePasswordAuthenticationFilter and that is trying to process the authentication, causing the request to get redirected to the loginform again.
After looking at the code this url seems to be hard-coded:
public UsernamePasswordAuthenticationFilter() {
super(new AntPathRequestMatcher("/login", "POST"));
}
So I have to disable this filter completely, or better, avoid it's creation. Can anybody point me how I can do it.
Changing my login page to another url is working, but is not the nice solution.
EDIT: I have created a Bugticket in Spring Security for this: https://jira.spring.io/browse/SEC-2992
EDIT 2: I've found another workaround: If I set the login-processing-url for the form-login to something unused it is working, but seems to be very hacky. There should be a way to disable it completely. Also it should be stated in the migration guide, I lost hours until I found this.

I am going to assume that you are trying to upgrade to Spring Security 4.0.0 (the latest available version is 4.0.1).
Spring Security 3.x used spring_security_login as the default login URL (source: official documentation). This could be set to a custom value as <security:form-login login-page="/login"> and mapped to a controller to render a custom page.
Spring Security 4.x has abandoned spring_security_login and switched to login as the default login URL (source: official Spring Security 4.x migration guide). Therefore, the URL login now goes to the default Spring Security infrastructure, that displays the default, auto-generated login page.
There was a bug in 4.0.0 due to which the default infrastructure was still getting used in cases where the URL /login was manually mapped to a custom controller method. This bug has been fixed in 4.0.1. Do try upgrading to Spring Security 4.0.1 to see if you can use /login as the login URL.

It looks like you could call setFilterProcessesUrl(String) (or, equivalently, setRequiresAuthenticationRequestMatcher(RequestMatcher)) to override the default of /login.

How to redirect login page in Jsf + Spring security project's when session timeout.?

below code fragment i added in my web xml file
<session-config>
<session-timeout>1</session-timeout>
</session-config>
i need to know is there any possibility to redirect to my login page when application session time out.?
I used JSF 2 + Spring security 3 + Richfaces final in my project
please advice me
thanks all

you want to that automatically or you want to redirect to login page after session timeout when user call some action.
for second one I can recommend this method. I've tested this method in my project and it will work for sure.
https://gist.github.com/banterCZ/5160269
but if you want to that with Richfaces use this:
Redirecting on session timeout in JSF-Richfaces-facelet

WAS j_security_check with Spring security

How to disable remember_me feature when you are using Websphere provided j_security_check form based implementation?

remove <remember-me> tag from security configuration of spring.
or in your login.jsp don't provide value for _spring_security_remember_me

Disable jsessionid via http header (cookie) in Tomcat 7

I'm looking to disable jsessionid from being used in the https headers.
Is there a way to turn this off or disable this being set as a cookie in tomcat 7?
I either want the jsessionid to arrive embedded into a GET method url name value pairs or to be part of a POST request name value pairs.
I know all the advantages and disadvantages of using cookie based sessioning and url rewriting but I have specific needs for specific impl of restful web services.
I need tomcat 7 to accept jsessionid without using the http header: jsessionid.
Thanks.
UPDATE:
so I looked around some more and found this which is implemented using the web.xml conf.
However the following doesn't seem to work with Tomcat 7.
<session-config>
<tracking-mode>URL</tracking-mode>
</session-config>
is it a case of TC7 not fully implementing the servlet 3.0 spec?

The web.xml setting works for me with Tomcat 7.0.20.
Log and check the effective (and maybe the default) session tracking modes:
logger.info("default STM: {}" , servletContext.getDefaultSessionTrackingModes());
logger.info("effective STM: {}" , servletContext.getEffectiveSessionTrackingModes());
Maybe your app override somewhere in the code the session tracking modes. An example:
final Set<SessionTrackingMode> trackingModes =
Collections.singleton(SessionTrackingMode.COOKIE);
servletContext.setSessionTrackingModes(trackingModes);
Check ServletContext.setSessionTrackingModes() calls in your code.
It's also possible to set default session tracking modes in the Tomcat's context settings but I found that web.xml settings override them.