0

I'm trying to implement Spring Security in my application and I have messages in my log saying that it recognizes the security but it is not ever enforcing the rules I set. My login.xhtml is also calling the login method but it never returns correctly so I can only assume that I've missed something in my configuration but I just can't find it. Thanks in advance.

I know this has been asked many times but I've looked for a couple days now at many different examples and as far as I can tell mine match the examples

Here are my config files (parts)

spring-security.xml

<http auto-config="true">

    <intercept-url pattern="/*" access="ROLE_ADMIN"/>
    <form-login login-processing-url="/j_spring_security_check" 
        login-page="/views/login.xhtml" 
        default-target-url="/views/index.xhtml"
        authentication-failure-url="/views/error.xhtml" />

</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="dummy" password="dummy" authorities="ROLE_DUMMY"/>
            <user name="admin" password="admin" authorities="ROLE_ADMIN"/>
        </user-service>
    </authentication-provider>
</authentication-manager>

web.xml 

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        classpath:/META-INF/spring/applicationContext.xml,
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

server.log

19:48:45,028 INFO  [org.springframework.web.context.ContextLoader] (ServerService Thread Pool -- 460) Root WebApplicationContext: initialization started
19:48:45,058 INFO  [org.springframework.web.context.support.XmlWebApplicationContext] (ServerService Thread Pool -- 460) Refreshing Root WebApplicationContext: startup date [Tue Aug 20 19:48:45 PDT 2013]; root of context hierarchy
19:48:45,081 INFO  [org.springframework.beans.factory.xml.XmlBeanDefinitionReader] (ServerService Thread Pool -- 460) Loading XML bean definitions from class path resource [META-INF/spring/applicationContext.xml]
19:48:45,152 INFO  [org.springframework.beans.factory.xml.XmlBeanDefinitionReader] (ServerService Thread Pool -- 460) Loading XML bean definitions from ServletContext resource [/WEB-INF/spring-security.xml]
19:48:45,162 INFO  [org.springframework.security.core.SpringSecurityCoreVersion] (ServerService Thread Pool -- 460) You are running with Spring Security Core 3.1.4.RELEASE
19:48:45,163 INFO  [org.springframework.security.config.SecurityNamespaceHandler] (ServerService Thread Pool -- 460) Spring Security 'config' module version is 3.1.4.RELEASE
19:48:45,187 INFO  [org.springframework.security.config.http.HttpSecurityBeanDefinitionParser] (ServerService Thread Pool -- 460) Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 200, Root bean: class [org.springframework.security.web.authentication.logout.LogoutFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 400, <org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0>, order = 800, Root bean: class [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1200, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1400, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1800, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1900, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 2000]
19:48:45,258 INFO  [org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor] (ServerService Thread Pool -- 460) JSR-330 'javax.inject.Inject' annotation found and supported for autowiring
19:48:45,282 INFO  [org.springframework.beans.factory.support.DefaultListableBeanFactory] (ServerService Thread Pool -- 460) Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@23c50d4e: defining beans [dataSource,entityManager,entityManagerFactory,distroStoreConverter,distroStaffBean,distroStoreBean,distroTastingBean,editDistroStaffBean,editDistroStoreBean,editDistroTastingBean,loginBean,newDistroStoreBean,newDistroTastingBean,scheduleBean,staffDaoImpl,storeDaoImpl,tastingDaoImp,org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.internalPersistenceAnnotationProcessor,jpaPropertyMap,hibernateVendor,transactionManager,org.springframework.aop.config.internalAutoProxyCreator,org.springframework.transaction.annotation.AnnotationTransactionAttributeSource#0,org.springframework.transaction.interceptor.TransactionInterceptor#0,org.springframework.transaction.config.internalTransactionAdvisor,org.springframework.security.filterChains,org.springframework.security.filterChainProxy,org.springframework.security.web.PortMapperImpl#0,org.springframework.security.web.PortResolverImpl#0,org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0,org.springframework.security.authentication.ProviderManager#0,org.springframework.security.web.context.HttpSessionSecurityContextRepository#0,org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy#0,org.springframework.security.web.savedrequest.HttpSessionRequestCache#0,org.springframework.security.access.vote.AffirmativeBased#0,org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0,org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator#0,org.springframework.security.authentication.AnonymousAuthenticationProvider#0,org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint#0,org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0,org.springframework.security.userDetailsServiceFactory,org.springframework.security.web.DefaultSecurityFilterChain#0,org.springframework.security.provisioning.InMemoryUserDetailsManager#0,org.springframework.security.authentication.dao.DaoAuthenticationProvider#0,org.springframework.security.authentication.DefaultAuthenticationEventPublisher#0,org.springframework.security.authenticationManager,org.springframework.context.annotation.ConfigurationClassPostProcessor$ImportAwareBeanPostProcessor#0]; root of factory hierarchy
19:48:45,292 INFO  [org.springframework.jdbc.datasource.DriverManagerDataSource] (ServerService Thread Pool -- 460) Loaded JDBC driver: org.postgresql.Driver
19:48:45,331 INFO  [org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean] (ServerService Thread Pool -- 460) Building JPA container EntityManagerFactory for persistence unit 'default'
19:48:46,047 INFO  [org.springframework.security.web.DefaultSecurityFilterChain] (ServerService Thread Pool -- 460) Creating filter chain: org.springframework.security.web.util.AnyRequestMatcher@1, [org.springframework.security.web.context.SecurityContextPersistenceFilter@5151d7c2, org.springframework.security.web.authentication.logout.LogoutFilter@542c2b43, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@1fcc66e1, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@24764e16, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5300990d, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4c404f0d, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@12060597, org.springframework.security.web.session.SessionManagementFilter@495905bf, org.springframework.security.web.access.ExceptionTranslationFilter@73886437, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@7f6b9222]
19:48:46,055 INFO  [org.springframework.security.config.http.DefaultFilterChainValidator] (ServerService Thread Pool -- 460) Checking whether login URL '/views/login.xhtml' is accessible with your configuration
19:48:46,062 INFO  [org.springframework.web.context.ContextLoader] (ServerService Thread Pool -- 460) Root WebApplicationContext: initialization completed in 1034 ms
19:48:46,064 INFO  [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 460) Initializing Mojarra 2.1.19-jbossorg-1 20130304-0420 for context '/LuxuryLiquor'
19:48:46,575 INFO  [javax.enterprise.resource.webcontainer.jsf.config] (ServerService Thread Pool -- 460) Monitoring jndi:/default-host/LuxuryLiquor/WEB-INF/faces-config.xml for modifications
19:48:47,591 INFO  [org.jboss.as.server] (management-handler-thread - 16) JBAS018562: Redeployed "LuxuryLiquor.war"
19:48:47,592 INFO  [org.jboss.as.server] (management-handler-thread - 16) JBAS018565: Replaced deployment "LuxuryLiquor.war" with deployment "LuxuryLiquor.war"
19:48:47,596 INFO  [org.jboss.as.repository] (management-handler-thread - 16) JBAS014901: Content removed from location C:\Program Files\jboss-eap-6.1\standalone\data\content\8f\21f2c1f876b95cd37a0207b0fb9148ce3e00b0\content

login.xhtml

<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:p="http://primefaces.org/ui" style="background: black;">

<h:head>
    <meta />
    <h:outputStylesheet library="css" name="screen.css" />
    <title>Login</title>
</h:head>
<h:body>
    <div id="container">
    <div id="content">
        <div class="stores-position">
            <h1>Login</h1>
            <h:form id="loginForm">
                <p:panelGrid>
                    <p:row>
                        <p:column>
                            <h:outputLabel value="Username" />
                        </p:column>
                        <p:column>
                            <h:inputText id="j_username" value="#{loginBean.username}" required="true" />
                        </p:column>
                    </p:row>
                    <p:row>
                        <p:column>
                            <h:outputLabel value="Password" />
                        </p:column>
                        <p:column>
                            <h:inputSecret id="j_password" value="#{loginBean.password}" required="true" />
                        </p:column>
                    </p:row>
                </p:panelGrid>
                <p:commandButton id="login" type="submit" 
                    action="#{loginBean.doLogin}" value="Login" />
            </h:form>
        </div>
    </div>
    <div id="aside">
        <h:graphicImage value="/resources/gfx/LL_logo-1-1.jpg" />
    </div>
    <div id="footer" />
</div>
</h:body>
</html>
Improve this question
1
  • after the version 5.8. there are in pre-5.8 and post-5.8 approaches. stackoverflow.com/questions/15498577 Commented Oct 6, 2024 at 14:08

1 Answer 1

Reset to default
1

At a first glance your url-pattern is wrong. The url-pattern is an ant-style pattern (the default pattern that is, as mentioned in the Spring Security Reference Guide) which means that

  • ? matches one character
    • matches zero or more characters
  • ** matches zero or more 'directories' in a path

Your are using /* whereas you probably should have used /**

<http auto-config="true">

<intercept-url pattern="/**" access="ROLE_ADMIN"/>
<form-login login-processing-url="/j_spring_security_check" 
    login-page="/views/login.xhtml" 
    default-target-url="/views/index.xhtml"
    authentication-failure-url="/views/error.xhtml" />

</http>

For more informatin on ant style expression consult this question.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That was it! I thought it was going to come down to a spelling mistake or something small. Thanks for including the links I need to figure out how to unblock my css now so.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.