I am developing a struts2 + spring + tiles + hibernate + spring security application
When I go to url /register I am correctly redirected to the login page,
but on logging in with username and password specified in the bean configuration file,
I am redirected back to the login page with url "login?error=true" which means that the login was unsuccessful as I have mentioned "authentication-failure-url="/login?error=true""
I have configured form based login with the following configuration
//web.xml
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/medic-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
//medics-security.xml
<http auto-config="true" access-denied-page="/error">
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/register*" access="ROLE_USER" />
<intercept-url pattern="/messagePost*" access="ROLE_USER" />
<intercept-url pattern="/messageDelete*" access="ROLE_ADMIN" />
<form-login login-page="/login" authentication-failure-url="/login?error=true"/>
<remember-me/>
<logout/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="secret" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
//login.jsp
<form action="j_spring_security_check">
<label for="j_username">Username</label>
<input type="text" name="j_username" id="j_username"/><br/>
<label for="j_password">Password</label>
<input type="password" name="j_password" id="j_password"/><br/>
<input type='checkbox' name='_spring_security_remember_me'/> Remember me<br/>
<input type="submit" value="Login"/>
<input type="reset" value="Reset"/>
</form>
//struts.xml
<package name="default" namespace="/" extends="struts-default">
<action name="login" class="com.medics.action.LoginAction">
<result name="SUCCESS" type="tiles">login</result>
</action>
<action name="register" class="com.medics.action.RegisterAction">
<result name="SUCCESS">/Register.jsp</result>
</action>
</package>
Action classes are doing nothing except returning "SUCCESS"
Since you have not specified a method for <form>, it uses GET, which is the default. spring-security 3.x does not allow authentication using GET, by default.
Can you try adding method="post" and see if that helps?
Related
I struggle with configuration of spring security Oauth to use it on a Struts2 Application to secure rest webservices.
I already use spring security for a long time.
The issue, if I have well understantood, is that Spring security Oauth need spring mvc dispatcher set on root. And this is conflicting with Struts2.
Here are my attempts
2) Struts2 on root and Spring MVC on /oauth/*
<!-- Struts 2 -->
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/struts/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
This is OK for Oauth but Struts2 doesn't work anymore.
1) Struts2 and Spring MVC on root
<!-- Struts 2 -->
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/struts/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/oauth/*</url-pattern>
</servlet-mapping>
Struts2, oauth is recognizing rights but the response is made on /token instead of /oauth/token and so I get a 404 error.
The extract of spring-security.xml is here:
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<!-- This is where we tells spring security what URL should be protected
and what roles have access to them -->
<http pattern="/api/**.api" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api/**.api" access="ROLE_API" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
The solution is to use 2 different Spring Dispatchers :
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/oauth/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>rest-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>rest-dispatcher</servlet-name>
<url-pattern>/restapi/*</url-pattern>
</servlet-mapping>
One for the Rest WS and the other for securization.
Afterward you will bet the token not on /oauth/token but on /oauth/oauth/token
To solve this problem you have to duplication Spring Security Parameterization :
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http pattern="/oauth/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
help me please, i can't solve problem for 2 days:
Here is a flow
"create-magazine.xml"
<view-state id="createMagazineForm" view="createmagazine" model="magazine">
<transition on="submit" to="createMagazineAction" />
</view-state>
<action-state id="createMagazineAction">
<evaluate expression="createMagazineService.justTest(magazine,flowRequestContext)" />
<transition on="success" to="createMagazineSuccess"/>
</action-state>
<view-state id="createMagazineSuccess" view="createsuccess" >
</view-state>
Here is createmagazine.jsp:
<form:form method="POST" modelAttribute="magazine" enctype="multipart/form-data">
<div class="form-group">
<fieldset>
<p>Your title</p>
<form:input placeholder="Title here" cssClass="form-control" path="vtitle" />
<p>Magazine image</p>
<input type="file" class="form-control" name="vimage" />
</fieldset>
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
<input type="submit" class="btn btn-success" value="Create" name="_eventId_submit" />
</div>
</form:form>
And createsuccess.jsp:
<h1 class="jumbotron">Magazine created</h1>
<p>${magazine.vtitle}</p>
<p>${magazine.vimage.getName()}</p>
Here is my model object:
#XmlRootElement
public class Magazine implements Serializable{
private Integer id;
private String vtitle;
private MultipartFile vimage;
public Integer getId() {
return id;
}
public MultipartFile getVimage() {
return vimage;
}
public void setVimage(MultipartFile vimage) {
this.vimage = vimage;
}
public void setId(Integer id) {
this.id = id;
}
public String getVtitle() {
return vtitle;
}
public void setVtitle(String vtitle) {
this.vtitle = vtitle;
}
}
After clicking submit button I get 405 Request method 'POST' not supported
I think it's because of Spring Security
Update : Here is my security-config
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/admin**" access="hasRole('Admin')" />
<intercept-url pattern="/secured**" access="hasRole('User')" />
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<form-login
login-page="/login"
default-target-url="/secured"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailsService" >
<password-encoder hash="bcrypt" />
</authentication-provider>
</authentication-manager>
Thanks #M. Deinum
I solved the problem. First I fixed web.xml:
<!-- Spring MVC -->
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/dispatcher-servlet.xml
/WEB-INF/spring/webflow-config.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<multipart-config>
<location>/tmp</location>
<max-file-size>20848820000</max-file-size>
<max-request-size>41801884100</max-request-size>
<file-size-threshold>104857600</file-size-threshold>
</multipart-config>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>csrfFilter</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>csrfFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<description>
Allows the application to accept multipart file data.
</description>
<display-name>springMultipartFilter</display-name>
<filter-name>springMultipartFilter</filter-name>
<filter-class>
org.springframework.web.multipart.support.MultipartFilter</filter-class>
<!--init-param>
<param-name>multipartResolverBeanName</param-name>
<param-value>multipartResolver</param-value>
</init-param-->
</filter>
<filter>
<description>
Secures access to web resources using the Spring Security framework.
</description>
<display-name>springSecurityFilterChain</display-name>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springMultipartFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>ERROR</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Then I changed my method to:
public String justTest(Magazine magazine,RequestContext requestContext){
ServletExternalContext context = (ServletExternalContext) requestContext.getExternalContext();
MultipartHttpServletRequest multipartRequest = new StandardMultipartHttpServletRequest((HttpServletRequest)context.getNativeRequest());
magazine.setFile(multipartRequest.getFile("file"));
requestContext.getFlowScope().put("magazine", magazine);
return "success";
}
I tried integrating Apache Tiles with Spring Security. But my webpage displays " Error: Access is Denied ".
Spring MVC + Spring Security -- https://github.com/spring-projects/spring-security/tree/master/samples/gae-xml
My tiles-configuration xml--
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE tiles-definitions PUBLIC
"-//Apache Software Foundation//DTD Tiles Configuration 2.0//EN"
"http://tiles.apache.org/dtds/tiles-config_2_0.dtd">
<tiles-definitions>
<definition name="base.definition"
template="/jsp/layout.jsp">
<put-attribute name="title" value="" />
<put-attribute name="header" value="/jsp/header.jsp" />
<put-attribute name="menu" value="" />
<put-attribute name="body" value="" />
<put-attribute name="footer" value="/jsp/footer.jsp" />
</definition>
<definition name="home" extends="base.definition">
<put-attribute name="title" value="Home" />
<put-attribute name="body" value="/jsp/home.jsp" />
</definition>
<definition name="hello" extends="base.definition">
<put-attribute name="title" value="logged In" />
<put-attribute name="body" value="/jsp/hello.jsp" />
</definition>
</tiles-definitions>
Security config xml--
<http use-expressions="true" entry-point-ref="gaeEntryPoint">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/logout.do" access="permitAll" />
<intercept-url pattern="/register.do" access="hasRole('NEW_USER')" />
<intercept-url pattern="/**" access="hasRole('USER')" />
<custom-filter position="PRE_AUTH_FILTER" ref="gaeFilter" />
</http>
<b:bean id="gaeEntryPoint" class="com.app.security.GoogleAccountsAuthenticationEntryPoint" />
<b:bean id="gaeFilter" class="com.app.security.GaeAuthenticationFilter">
<b:property name="authenticationManager" ref="authenticationManager"/>
</b:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="gaeAuthenticationProvider"/>
</authentication-manager>
<b:bean id="gaeAuthenticationProvider" class="com.app.security.GoogleAccountsAuthenticationProvider">
<b:property name="userRegistry" ref="userRegistry" />
</b:bean>
<b:bean id="userRegistry" class="com.app.security.GaeDatastoreUserRegistry" />
web.xml--
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/gae-security.xml,
/WEB-INF/gae-servlet.xml
</param-value>
</context-param>
<servlet>
<servlet-name>gae</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>gae</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>gae</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Spring Controllers--
#RequestMapping(value="/",method=RequestMethod.GET)
public String landingPage(ModelMap model) {
return "home";
}
#RequestMapping(value="/home.do",method=RequestMethod.GET)
public String loggedIn(ModelMap model){
return "hello";
}
I am beginner to Spring Security and while experimenting with Apache Tiles I am repeatedly getting Access Denied error. Please Help.
Maybe you should check your [intercept-url/] patterns... It seems that [intercept-url pattern="/" access="permitAll"/] is overriden by the other ones below... In spring security url patterns can be overriden by the next one we define. Try to map from the most specific url to the most generic. Cheers.
i'm working with spring security 3.1.3 in a spring 3.2.0 project. I've configured two entry points for my security using spring security. The idea is to have a url like /enterprise_login where enterprise users should log in and other url like /login where normal users do their log in action. In my security configuration i've the next code
<security:global-method-security jsr250-annotations="enabled" pre-post-annotations="enabled" secured-annotations="enabled" />
<security:http pattern="/enterprise/**" auto-config="false" use-expressions="true" authentication-manager-ref="autenticationManagerUserEnterprise">
<security:intercept-url pattern="/enterprise/**" access="hasRole('ROLE_ENTERPRISE')" />
<security:intercept-url pattern="/enterprise_login" access="isAnonymous()" />
<security:form-login login-page="/enterprise_login" default-target-url="/" authentication-failure-url="/empresas_login_error" login-processing-url="/enterprise_login_process" />
<security:logout logout-success-url="/" delete-cookies="JSESSIONID"/>
<security:remember-me user-service-ref="enterpriseAuthenticationProvider"/>
<security:session-management invalid-session-url="/">
<security:concurrency-control max-sessions="2" error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>
<security:http pattern="/**" auto-config="false" use-expressions="true" authentication-manager-ref="autenticationManagerUser">
<security:intercept-url pattern="/**" access="permitAll" />
<security:form-login login-page="/login" default-target-url="/" authentication-failure-url="/login_error" />
<security:logout logout-success-url="/" delete-cookies="JSESSIONID"/>
<security:remember-me user-service-ref="UserAuthenticationProvider"/>
<security:session-management invalid-session-url="/">
<security:concurrency-control max-sessions="2" error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>
<security:authentication-manager id="autenticationManagerUserEnterprise">
<security:authentication-provider user-service-ref="enterpriseAuthenticationProvider">
<security:password-encoder hash="plaintext"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<security:authentication-manager id="autenticationManagerUser">
<security:authentication-provider user-service-ref="UserAuthenticationProvider">
<security:password-encoder hash="plaintext"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<bean id="enterpriseAuthenticationProvider" class="com.test.security.enterpriseAuthenticationProvider"></bean>
<bean id="UserAuthenticationProvider" class="com.test.security.UserDetailsServiceImp"></bean>
Then when I go to /enterprise_login form and submit the login data I get a "HTTP 405 - Request method 'POST' not supported" throwed by tomcat in the url /enterprise_login_process (the url configured to act as login-processing-url. I can't figure out where the problem is, any help is really appreciated.
PD: My web.xml looks like:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>AT-2</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-config.xml
</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>tutorial.root</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-config.xml</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
The issue is that the first configuration currently only matches on URLs that start with "/enterprise/" and the URL to process authentication is configured as "/enterprise_login_process". This means that submitting a POST to "/enterprise_login_process" will submit to the second configuration which is not trying to authenticate "/enterprise_login_process".
To fix this you need to ensure the http#pattern and the login-processing-url are aligned. For example:
<security:http pattern="/enterprise/**"
auto-config="false"
use-expressions="true"
authentication-manager-ref="autenticationManagerUserEnterprise">
<security:intercept-url pattern="/enterprise/login"
access="isAnonymous()" />
<security:intercept-url pattern="/**"
access="hasRole('ROLE_ENTERPRISE')" />
<security:form-login login-page="/enterprise/login"
default-target-url="/"
authentication-failure-url="/enterprise/login?error"
login-processing-url="/enterprise/login_process" />
<security:logout logout-success-url="/"
delete-cookies="JSESSIONID"/>
<security:remember-me
user-service-ref="enterpriseAuthenticationProvider"/>
<security:session-management invalid-session-url="/">
<security:concurrency-control max-sessions="2"
error-if-maximum-exceeded="true" />
</security:session-management>
</security:http>
You will observe that I modified the code to ensure all URLs within the block start with "/enterprise/". This also means that you will need to ensure that your login form for enterprise is updated to POST to "/enterprise/login_process".
I am using Spring mvc within url rewrite tucky to have extension less Urls. All is working fine but I recently have a problem to handle /j_spring_security_check post.
here are my config files
urlrewrite.xml
<rule>
<from>/$</from>
<to type="forward">home</to>
</rule>
<rule>
<from>/signup$</from>
<to type="forward">/signup</to>
</rule>
<rule>
<from>/j_spring_security_check(\?.*)</from>
<to last="true">/j_spring_security_check$1</to>
</rule>
<rule>
<from>/logout(\?.*)</from>
<to last="true">/logout$1</to>
</rule>
<rule>
<from>^([^?]*)/([^?/\.]+)(\?.*)?$</from>
<to last="true">$1/$2.htm$3</to>
</rule>
<outbound-rule>
<from>^(.*)\.htm(\?.*)?$</from>
<to last="false">$1$2</to>
</outbound-rule>
spring security `
<!-- This is where we configure Spring-Security -->
<security:http auto-config="true" use-expressions="true" access-denied-page="/denied.htm">
<security:intercept-url pattern="/**" access="permitAll" />
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/user" access="hasRole('ROLE_USER')" />
<security:form-login login-page="/signup" authentication-failure-url="/signup?error=authenticate" default-target-url="/" />
<security:logout invalidate-session="true" logout-success-url="/" logout-url="/logout" />
<security:remember-me key="springRocks" user-service-ref="userDetailsService"/>
</security:http>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the
database -->
<bean
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder" />
<bean id="userDaoService" class="com.dolo.dao.jdbc.JdbcUserDao">
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="userDetailsService" class="com.dolo.services.impl.UserServiceImpl">
</bean>
<bean id="userDetails" class="com.dolo.model.User">
</bean>
`
web.xml
<servlet>
<servlet-name>dolo</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
...
<servlet-mapping>
<servlet-name>dolo</servlet-name>
<url-pattern>*.htm</url-pattern>
...
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
....
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
....
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
Both can work together without any problem
<filter-mapping> declaration for springSecurityFilterChain should be done before UrlRewriteFilter one. Once that is done, you don't need any rewrite rule for j_spring_security_check.