Spring security/hibernate: Bad credentials even if they're right? - spring

Hey I am having a bit of a mess with my springsecurity based login
I'm keep getting the error "bad credentials"
Here's my user table:
![Usertable][1]
Here's my dataSource from the applicationContext:
<!-- database driver/location -->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://localhost:3306/ams" />
<property name="username" value="root" />
<property name="password" value="root" />
</bean>
and my securityContext:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- <security:http auto-config="true" access-decision-manager-ref="accessDecisionManager"> -->
<security:http auto-config="true">
<security:intercept-url pattern="/login/login.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/login/doLogin.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/lib/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" />
<security:form-login login-page="/login/login.do" authentication-failure-url="/login/login.do?login_error=true" default-target-url="/test/showTest.do"/>
<security:logout logout-success-url="/login/login.do" invalidate-session="true" />
<security:remember-me key="rememberMe"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select USERNAME as username, PASSWORD as password, DELETED as deleted from ams.user where USERNAME=?"
authorities-by-username-query="
select distinct user.USERNAME as username, permission.NAME as authority
from scu.user, scu.user_role, scu.role, scu.role_permission, scu.permission
where user.ID=user_role.USER_ID AND user_role.ROLE_ID=role_permission.ROLE_ID AND role_permission.PERMISSION_ID=permission.ID AND user.USERNAME=?"/>
<!-- security:password-encoder ref="passwordEncoder" /> -->
</security:authentication-provider>
</security:authentication-manager>
<bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
<constructor-arg value="256" />
</bean>
</beans>
When i try to login with: admin and init01
it gives me the error bad credentials... =(
ANY suggestions are appreciated!!!


The password-encoder reference in your authentication-provider is commented out. You need a password encoder if you are using hashed passwords (as you should be). Also check this answer, particularly point 2 about writing a test to make sure the password encoder you are using matches what you have stored in the database.
You might also want to check this answer on using bcrypt as a more secure alternative to plain SHA hashes.


Your passwords are getting hashed. If you add a password 'init01', it actually means the hash of the original password is 'init01' because Spring hashes the supplied password and matches with the one you enter. So SHA('init01') is something other than 'init01'

Related

Spring Security Concurrency Control not working in Spring 4.0.4

I try to implement concurrency-control in Spring security 4.0.4 I use form-login for auth. Here is my security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd ">
<security:http auto-config="true" >
<security:custom-filter ref="myFilter" before="FORM_LOGIN_FILTER"/>
<security:intercept-url pattern="/Welcome**" access="hasRole('ROLE_USER')" />
<security:intercept-url pattern="/admin**" access="hasRole('ADMINISTRATOR')"/>
<security:intercept-url pattern="/Welcome**" access="isAuthenticated()"/>
<security:intercept-url pattern="/hello" access="isAuthenticated()"/>
<security:intercept-url pattern="/logout" access="isAnonymous()"/>
<security:intercept-url pattern="/student" access="hasRole('STUDENT')"/>
<security:intercept-url pattern="/failurl" access="hasRole('STUDENT1')"/>
<security:session-management invalid-session-url="/access" session-fixation-protection="newSession" >
<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/access"/>
</security:session-management>
<security:logout logout-success-url="/access" delete-cookies="JSESSIONID" />
<security:form-login login-processing-url="/j_spring_security_check"
login-page="/access"
default-target-url="/hello"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/fail"
/>
<security:logout logout-url="/j_spring_security_logout" logout-success-url="/logout"/>
<security:csrf />
</security:http>
<bean id="myFilter" class="com.www.sec.MyFilter">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<!-- <security:password-encoder hash="sha-256"/> -->
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"select username,password,enabled from user_details where username=?"
authorities-by-username-query=
"select username,user_role from user_role where username =?" />
</security:authentication-provider>
</security:authentication-manager>
</beans>
Listener:
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
when we run it in different browsers, log in in both but I have 2 sessions active. It seems that concurrency control doesn't work.
How to implement concurrency control with using form-login?

too many redirections have happened while trying to open the login page

I use spring and spring security for my application
Here is my spring security xml file
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.1.xsd">
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="hasRole('ROLE_MEMBRE')" />
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<!-- <security:form-login login-page="/login.jsp" -->
<!-- default-target-url="/WEB-INF/pages/index.jsp" -->
<!-- authentication-failure-url="/login.jsp" username-parameter="username" -->
<!-- password-parameter="password" /> -->
<security:logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<security:csrf />
<security:custom-filter after="FORM_LOGIN_FILTER"
ref="authenticationFilter" />
<security:anonymous enabled="true" />
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="authenticationProvider" />
</security:authentication-manager>
<bean id="authenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
<property name="passwordEncoder" ref="encoder" />
</bean>
<bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<bean id="userDetailsService" class="spring.security.UserDetailsServiceImpl" />
<bean id="passwordChecker" class="spring.security.impl.PasswordCheckerImpl" />
<bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="filterProcessesUrl" value="/login" />
<property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
</bean>
<bean id="authenticationSuccessHandler" class="spring.security.AuthenticationSuccessHandlerImpl">
<property name="defaultTargetUrl" value="/WEB-INF/pages/index.jsp" />
<property name="userManagementService" ref="userManagementService" />
</bean>
<bean id="authenticationFailureHandler" class="spring.security.AuthenticationFailureHandlerImpl">
<property name="defaultFailureUrl" value="/login.jsp" />
<property name="userManagementService" ref="userManagementService" />
</bean>
<bean id="userManagementService" class="spring.security.UserDetailsServiceImpl">
</bean>
</beans>
When I try to open my login page I have the following error message on safari : too many redirection occured when trying to open the page. This can happen when you open a page that is redirected towards another page that redirect again towards the original page
on firefox, the message error is : the page is not redirected correctly. Firefox detected that the server redirect the demand for this adress in a way that will not be successfull
I don't see what could be the cause. Thanks in advance for your answers

I solved my problem by changing the security:http by
<security:http auto-config="true">
<security:intercept-url pattern="/login.jsp" access="isAnonymous()" />
<security:intercept-url pattern="/" access="isAnonymous()" />
<security:logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<security:csrf />
<security:custom-filter after="FORM_LOGIN_FILTER"
ref="authenticationFilter" />
<security:anonymous enabled="true" />

Spring Security custom authentication and remember me

I used this tutorial to implement a custom authentication manager. Login and logout works fine.
Now I want to use spring security remember-me authentication. As far as I know, remember-me requires a userDetailService. So I implemented a custom userDetailService.
On the login page I added a checkbox with name _spring_security_remember_me. But, remember-me doesn't work. The remember-me cookie is not set after succesful login. I think this is a configuration problem or do I need to implement a custom remember me to work with custom authentication ?
<input type="checkbox" name="_spring_security_remember_me">stay signed in
My Spring-Security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:jee="http://www.springframework.org/schema/jee"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd">
<security:http auto-config="false" use-expressions="true" access-denied-page="/login?error=true"
entry-point-ref="authenticationEntryPoint" >
<!-- Zugriff auf /login für alle erlauben -->
<security:intercept-url pattern="/login" access="permitAll"/>
<!-- resources -->
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<!--<security:intercept-url pattern="/**" access="permitAll"/> -->
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<!-- Zugriff auf /admin/** einschränken -->
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
<security:logout
invalidate-session="true"
logout-success-url="/login?logout=true"
logout-url="/j_spring_security_logout"/>
<security:custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
<!-- Session Timeout Seite setzen und
Session Fixation Attack Protection einschalten -->
<security:session-management invalid-session-url="/login?timeout=true"
session-fixation-protection="migrateSession">
<!-- Maxmale Anzahl von Session per User (Doppelanmeldung) -->
<security:concurrency-control max-sessions="3"
error-if-maximum-exceeded="false" />
</security:session-management>
<security:remember-me key="myAppKey" token-validity-seconds="864000" user-service-ref="customUserDetailService"/>
</security:http>
<!-- custom user service -->
<bean id="customUserDetailService" class="com.stefan.app.security.CustomUserDetailsService">
<property name="userBean" ref="userBean" />
</bean>
<!-- Custom filter to deny unwanted users even though registered -->
<bean id="blacklistFilter" class="com.stefan.app.security.filter.BlacklistFilter" />
<!-- Custom filter for username and password. The real customization is done in the customAthenticationManager -->
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />
<!-- Custom authentication manager. In order to authenticate, username and password must not be the same -->
<bean id="customAuthenticationManager" class="com.stefan.app.security.CustomAuthenticationManager">
<property name="userBean" ref="userBean" />
</bean>
<jee:local-slsb id="userBean" jndi-name="java:global/com.stefan.auctionnsiper-ear/app.ejb/UserBean!com.stefan.app.user.UserBeanLocal"
business-interface="com.stefan.app.user.UserBeanLocal"/>
<!-- We just actually need to set the default failure url here -->
<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/login?error=true" />
<!-- We just actually need to set the default target url here -->
<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
p:defaultTargetUrl="/products" />
<!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page,
whenever the server sends back a response requiring authentication -->
<!-- See Spring-Security Reference 5.4.1 for more info -->
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login"/>
<!-- The tag below has no use but Spring Security needs it to autowire the parent property of
org.springframework.security.authentication.ProviderManager. Otherwise we get an error
A probable bug. This is still under investigation-->
<security:authentication-manager/>
</beans>

Check:
https://stackoverflow.com/questions/8815277/spring-security-tokenbasedremembermeservices-cookiename-ignored
http://forum.springsource.org/showthread.php?130600-Spring-security-remember-me-cookie-configuration-example
Try this:
<security:http>
...
<security:remember-me services-ref="rememberMeServices" />
</security:http>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="customUserDetailService"/>
<property name="tokenValiditySeconds" value="864000"/>
<property name="cookieName" value="SPRING_RM"/>
<property name="key" value="myAppKey"/>
</bean>

Besides what JoGo said, don't forget to set the "rememberMeServices" property on your "authenticationFilter", that is:
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager"
p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler"
p:rememberMeServices-ref="rememberMeServices" />
Additionally you'll probably need to remove the remember me cookie when the user logs out, so he's not automatically logged in:
<security:logout
invalidate-session="true"
logout-success-url="/login?logout=true"
logout-url="/j_spring_security_logout"
delete-cookies="SPRING_RM"
/>
I hope this helps.

Adding Remember Me functionality in already configured spring OUTH and usernamepassword token authentication system

I have the following spring security configuration.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!-- For S2OAuth endpoints -->
<http pattern="/oauth/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
</http>
<http use-expressions="true">
<!-- Authentication policy -->
<form-login login-page="/signin" login-processing-url="/signin/authenticate" authentication-failure-url="/signin?error=1" />
<logout logout-url="/signout" delete-cookies="JSESSIONID" />
<!-- Remember Me -->
<remember-me services-ref="rememberMeServices" key="myRememberMeKey" />
<!-- Authorization policy definition: TODO consider replacing with #Secured on #Controllers -->
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/favicon.ico" access="permitAll" />
<intercept-url pattern="/members/**" access="permitAll" />
<intercept-url pattern="/groups/**" access="permitAll" />
<intercept-url pattern="/pubsub/**" access="permitAll" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/signup" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<intercept-url pattern="/signin" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<intercept-url pattern="/signin/*" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<intercept-url pattern="/reset" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<!-- TODO this would probably be better mapped to simply /invite?token={token} but not able to vary security policy here based on presence of a request parameter. Consider #Secured on #Controller. -->
<intercept-url pattern="/invite/accept" access="permitAll" requires-channel="#{environment['application.secureChannel']}" />
<!-- TODO this should be restricted to admin users only -->
<intercept-url pattern="/admin/**" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" requires-channel="#{environment['application.secureChannel']}" />
<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="usernamePasswordAuthenticationProvider" />
</authentication-manager>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<bean id="jdbcRememberMeRepository" class="com.springsource.greenhouse.rememberme.JdbcRememberMeRepository" xmlns="http://www.springframework.org/schema/beans"/>
<bean id="coreUserDetailsService" class="com.springsource.greenhouse.rememberme.RememberMeUserDetailsService" xmlns="http://www.springframework.org/schema/beans"/>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices" xmlns="http://www.springframework.org/schema/beans">
<property name="tokenRepository" ref="jdbcRememberMeRepository" />
<property name="userDetailsService" ref="coreUserDetailsService" />
<property name="key" value="myRememberMeKey" />
<property name="alwaysRemember" value="true" />
</bean>
<!-- For S2OAuth endpoints -->
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<beans:bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<beans:constructor-arg ref="clientDetails" />
</beans:bean>
<beans:bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<beans:property name="realmName" value="greenhouseApi" />
</beans:bean>
<beans:import resource="security-oauth-provider.xml" />
</beans:beans>
When I tick the remember-me checkbox , I see my remember-me database is populated as shown in the snapshot. Now I close the browser and try to access the url which needs sign-in. I am able to see the page. Now here I am confused about whether I am able to see the page because of login or because of remember-me. Secondly I see in the remember-me database table the last date is not updated. What can be the reasons for this?

Restarting your browser is not enough. To test remember me functionality you need to be sure that your session is expired. If lastUsed was not updated then it means that remember me functionality was not used. In your case HTTP session was active. You need to deactivate it and there are multiple options to do it:
wait for session expiration. Hint: you can set minimal session timeout, for example set 1 minute in your web.xml.
or remove session cockie (do not remove all coockies for your domain, remember me use coockie too)
or stop your application server then clean up a directory where it persist session data and start it again. For tomcat it is tomcat_root/work.
Setting up session timeout value to 1 minute in web.xml:
<session-config>
<session-timeout>1</session-timeout>
</session-config>

spring security and using CustumUserDetails

Can anybody help me with spring security?
I have two folder under views 1: allusers 2: superusers
all users have hasRole("ROLE_USER") and superusers have: haseRole("ROLE_ADMIN","ROLE_USER")
I want when a user how has the ROLE_ADMIN after log in be redirect to the right folder i.e supersusers's folder and that one with only ROLE_USER to the allusers's folder.
Don't know how can I do it.
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org /2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
<http auto-config="true" use-expressions="true">
<!-- interceptor pages -->
<intercept-url pattern="/**" access="permitAll" />
<intercept-url pattern="/index" access="permitAll" />
<intercept-url pattern="/allusers/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/superusers/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/denied" access="permitAll" />
<intercept-url pattern="/getAllUsers" access="hasRole('ROLE_ADMIN')" />
<access-denied-handler error-page="/403" />
<form-login login-page="/index" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="
select username,password,'true' AS isEnabled from USER where USERNAME=?"
authorities-by-username-query="
select u.username ,r.`ROLE_NAME`,u.`PASSWORD` from USER u, USER_ROLE ur,ROLE r where (u.user_id = ur.user_id)
and (r.role_id=ur.role_id) and u.username =? " />
</authentication-provider>
</authentication-manager>
Here is my mvc-dispatcher.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:component-scan base-package="com.secure.weblayer" />
<mvc:annotation-driven />
<context:annotation-config />
<mvc:resources mapping="/resources/**" location="/resources/" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<!-- <property name="prefix" value="/WEB-INF/views/allusers/" />-->
<!-- <property name="prefix" value="/WEB-INF/views/superusers" />-->
<property name="suffix" value=".jsp" />
</bean>
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames" value="mymessages"></property>
</bean>
<bean
class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter" />
<bean
class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping" />
</beans>
As you can see I use sql-query in my spring-security.xml for log in.
I can log in but can not be redirect to any desired pages. But when I in the xml file changethe property to : property name="prefix" value="/WEB-INF/views/allusers"
or : property name="prefix" value="/WEB-INF/views/superusers"
I can get access to all pages in those folders but not at the same time.
Please any help?

You dont wanna touch the InternalResourceViewResolver, as that affects all views.
You dont have your access rights correct, should be like this.
all users is normal users and admin users:
<intercept-url pattern="/allusers/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
superusers is just admin users
<intercept-url pattern="/superusers/**" access="hasRole('ROLE_ADMIN')" />
Also, remove:
<intercept-url pattern="/**" access="permitAll" />
And then you just want to redirect to right page after login.
So use this for your login controller:
#Controller
public class LoginController {
#RequestMapping(value="/welcome", method = RequestMethod.GET)
public String printWelcome(ModelMap model, SecurityContextHolderAwareRequestWrapper request) {
if(request.isUserInRole("ROLE_ADMIN")) {
return "redirect:/superusers";
} else {
return "redirect:/allusers";
}
}
}

Resources