1

I'm developing a Spring application with Spring Security module. The basic settings work pretty fine, but when I want to make some logic like "The FormLogin page is the only one allowed to any people, all the other one can be seen only if the user is authenticated. So my spring config file is like:

<security:http security="none" pattern="/resources/**" />
    <security:http security="none" pattern="/FormLogin" />
    <security:http auto-config="true" use-expressions="true">
        <security:csrf disabled="true" />
        <security:intercept-url pattern="/**"
            access="isAuthenticated()" />
        <security:intercept-url pattern="/admin/**"
            access="hasRole('Admin')" />
        <security:logout logout-success-url="/welcome"
            logout-url="/logout" />
        <security:form-login login-page="/FormLogin"
            login-processing-url="/j_spring_security_check" default-target-url="/welcome"
            username-parameter="username" password-parameter="hashPwd"
            authentication-failure-url="/loginError" />
    </security:http>

So basically I have my admin folder reserved to the admins, the FormLogin that can be accessed by anybody and all the other pages that can be seen only by authenticated users.

Without this line:

<security:intercept-url pattern="/**"   access="isAuthenticated()" />

after the login I got correctly redirected to the welcome page, like this I get redirected to the root of the application and I get the following message:

22/06/2015 20:44:50 - DEBUG - (AbstractSecurityInterceptor.java:242) - Authorization successful
22/06/2015 20:44:50 - DEBUG - (AbstractSecurityInterceptor.java:255) - RunAsManager did not change Authentication object
22/06/2015 20:44:50 - DEBUG - (FilterChainProxy.java:309) - / reached end of additional filter chain; proceeding with original chain
22/06/2015 20:44:50 - DEBUG - (DispatcherServlet.java:861) - DispatcherServlet with name 'spring-mvc' processing GET request for [/Fantacalcio/]
22/06/2015 20:44:50 - DEBUG - (AbstractHandlerMethodMapping.java:294) - Looking up handler method for path /
22/06/2015 20:44:50 - DEBUG - (AbstractHandlerMethodMapping.java:302) - Did not find handler method for [/]
22/06/2015 20:44:50 - DEBUG - (AbstractHandlerMethodMapping.java:294) - Looking up handler method for path /
22/06/2015 20:44:50 - DEBUG - (AbstractHandlerMethodMapping.java:302) - Did not find handler method for [/]
22/06/2015 20:44:50 - DEBUG - (AbstractUrlHandlerMapping.java:123) - Mapping [/] to HandlerExecutionChain with handler [org.springframework.web.servlet.mvc.ParameterizableViewController@92464f] and 1 interceptor
22/06/2015 20:44:50 - DEBUG - (DispatcherServlet.java:947) - Last-Modified value for [/Fantacalcio/] is: -1
22/06/2015 20:44:50 - DEBUG - (DispatcherServlet.java:1241) - Rendering view [org.springframework.web.servlet.view.JstlView: name 'FormLogin'; URL [/WEB-INF/views/FormLogin.jsp]] in DispatcherServlet with name 'spring-mvc'
22/06/2015 20:44:50 - DEBUG - (InternalResourceView.java:166) - Forwarding to resource [/WEB-INF/views/FormLogin.jsp] in InternalResourceView 'FormLogin'
22/06/2015 20:44:50 - DEBUG - (FrameworkServlet.java:996) - Successfully completed request
22/06/2015 20:44:50 - DEBUG - (ExceptionTranslationFilter.java:116) - Chain processed normally
22/06/2015 20:44:50 - DEBUG - (SecurityContextPersistenceFilter.java:105) - SecurityContextHolder now cleared, as request processing completed

What am I doing wrong?

Improve this question
2
  • Thats looking good, whats the problem? Commented Jun 22, 2015 at 18:55
  • Instead of being redirected to /welcome I get redirected to / Commented Jun 22, 2015 at 18:58

3 Answers 3

Reset to default
3

The order of the intercept-url tags is important as that is also the order they are consulted in. The first match wins. Now your first intercept-url has a pattern="/**" which catches all, this basically renders all your other intercept-url patterns useless. You also don't have a mapping for your FormLogin page so add it.

When using /** in a pattern it always has to be last!

If you always want to be redirected to the URL specified in the 'default-target-urlset thealways-use-default-targetattribute totrue`.

<security:http security="none" pattern="/resources/**" />
    <security:http security="none" pattern="/FormLogin" />
    <security:http auto-config="true" use-expressions="true">
        <security:csrf disabled="true" />
        <security:intercept-url pattern="/FormLogin" access="permitAll" />
        <security:intercept-url pattern="/admin/**" access="hasRole('Admin')" />
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:logout logout-success-url="/welcome" logout-url="/logout" />
        <security:form-login login-page="/FormLogin"
            login-processing-url="/j_spring_security_check" default-target-url="/welcome" always-use-default-target="true"
            username-parameter="username" password-parameter="hashPwd"
            authentication-failure-url="/loginError" />
</security:http>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Maybe you tried to login by accessing "/" (root of your application). The default for Spring Security is, if a secured resource is accessed, one will be redirected to the login page and after successfull login back to the Url he accessed before.

You might try setting "always-use-default-target" to "true" ("form-login" element):

If set to "true", the user will always start at the value given by default-target-url, regardless of how they arrived at the login page. Maps to the alwaysUseDefaultTargetUrl property of UsernamePasswordAuthenticationFilter. Default value is "false".

Improve this answer

Comments

0

Try setting "always-use-default-target" to true which is form-login element, it will always start at the value given by default-target-url, regardless of how they arrived at the login page.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.