tags:

views:

979

answers:

3
Q: 

Infinite loop using Spring Security - Login page is protected even though it should allow anonymous access

I have a Spring application (Spring version 2.5.6.SEC01, Spring Security version 2.0.5) with the following setup:

web.xml

<welcome-file-list>
  <welcome-file>
    index.jsp
  </welcome-file>
</welcome-file-list>

The index.jsp page is in the WebContent directory and simply contains a redirect:

<c:redirect url="/login.htm"/>

In the appname-servlet.xml, there is a view resolver to point to the jsp pages in WEB-INF/jsp

<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
  <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
  <property name="prefix" value="/WEB-INF/jsp/" />
  <property name="suffix" value=".jsp" />
</bean>

In the security-config.xml file, I have the following configuration:

<http>
  <!-- Restrict URLs based on role -->
  <intercept-url pattern="/WEB-INF/jsp/login.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/header.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/footer.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" />

  <intercept-url pattern="/css/**" filters="none" />
  <intercept-url pattern="/images/**" filters="none" />
  <intercept-url pattern="/**" access="ROLE_ANONYMOUS" />

  <form-login login-page="/login.jsp"/>
</http>

<authentication-provider>
    <jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>

However, I can't even navigate to the login page and get the following error in the log:

WARNING: The login page is being protected by the filter chain, but you don't appear to have anonymous authentication enabled. This is almost certainly an error.

I've tried changing the ROLE_ANONYMOUS to IS_AUTHENTICATED_ANONYMOUSLY, changing the login-page to index.jsp, login.htm, and adding different intercept-url values, but I can't get it so the login page is accesible and security applies to the other pages. What do I have to change to avoid this loop?

A: 

You should set auto-config attribute:

<http auto-config="true">
    <intercept-url ... />
    ...
</http>

EDIT: To avoid problems with multiple UserDetailsService you probably can replace your <authentication-provider> declaration by something like this:

<authentication-provider user-service-ref = "userService" />

<jdbc-user-service id = "userService" data-source-ref="dataSource" />
axtavt  2010-01-06 02:03:38
If I set auto-config to true, I get the following error: "More than one UserDetailsService registered. Please use a specific Id in your configuration"If I remove the authentication-provider from the security xml, this error goes away, but when I try to navigate to the login page, I have to do http authentication instead of the form authentication I want.
Tai Squared  2010-01-06 02:15:05
A: 

The problem was I was missing the 

<anonymous />

tag in the http section of the security-config.xml file so I wasn't able to get to the login page anonymously. Once I added this, I was able to get to the login page and authenticate.

Tai Squared  2010-01-07 03:57:33
A:  
<intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />

you could have replaced that with 

<intercept-url pattern="/login*" filter="none" />

because spring security is right, it doesn't make any sense to protect the login page

dube  2010-03-29 12:00:58

related questions

Java Frameworks War: Spring and Hibernate
Does having many unused beans in a Spring Bean Context waste significant resources?
Internationalization sitemesh
What are the best books for Spring and Spring MVC?
Can I compose a Spring Configuration File from smaller ones?
How do you maintain java webapps in different staging environments?
Best resources to prepare for the "Spring Framework Certification"
What is the best documentation for snapshots and flow repositories in Spring Web Flow?
How do you authenticate against an Active Directory server using Spring Security?
Where can I find a good introductory tutorial for Spring?
JPA Multiple Transaction Managers
Map of Enums and dependency injection in Spring 2.5
Should I use EJB3 or Spring for my business layer?
How do I register a custom type converter in Spring?
Accessing a bean with a dot(.) in its ID
How do I create a spring bean for a Java double primitive?
Validation framework for business app built on Spring 2.5
Some Tomcat webapps not opening
How do I return a 403 Forbidden in Spring MVC?
Aspectj doesn't catch all events in spring framework?
How do you use WebServiceMessageDrivenBean in Spring-WS?
Template Engines for Spring Framework
What's the best way to get started with OSGI?
What OSS project should I look at if I need to do Spring friendly WorkFlow?
What's your "best practice" for the first Java EE Spring project?