tags:

views:

1290

answers:

3
+2  Q: 

Spring Security - Cannot access my welcome webpage while I'm already logged

Hello,

I have a website which uses Spring Security. I have realized that when I am logged in the application and I tried to access the website again without closing this session I get a 404 error. I mean if my application has a context name "myApp" I can acess to localhost:8080/myApp when I am not logged in, but when I am logged in and I entered that URL I get the error. It doesn't happen for example if I enter localhost:8080/myApp/control/login which displays my login form correctly.

Here is my Spring -security configuration:

<beans
  xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:sec="http://www.springframework.org/schema/security"
  xsi:schemaLocation="
   http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
   http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd  
   http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"&gt;

<sec:http auto-config="true" access-denied-page="/control/login/error">
   <sec:intercept-url pattern="/resources/**" filters="none"/>
   <sec:intercept-url pattern="/favicon.ico" filters="none"/>
   <sec:intercept-url pattern="/control/login/error" filters="none"/>
   <sec:intercept-url pattern="/control/login" filters="none"/>
   <sec:intercept-url pattern="/control/logout" filters="none"/>
   <sec:intercept-url pattern="/control/newUser" filters="none"/>
   <sec:intercept-url pattern="/control/invitedUser" filters="none"/>
   <sec:intercept-url pattern="/control/error" filters="none"/>

   <sec:intercept-url pattern="/**" access="ROLE_ANONIM,ROLE_GUEST,ROLE_BASIC,ROLE_ADMIN,ROLE_PREMIUM" />
   <sec:form-login login-page='/control/login' default-target-url='/control/index' always-use-default-target='true' />
<sec:logout logout-success-url="/control/logout"/>  

<sec:session-management>
 <sec:concurrency-control expired-url="/control/login/error" />
</sec:session-management>

In my web.xml I have index.jsp as the welcome file

<welcome-file-list>
 <welcome-file>/index.jsp</welcome-file>
</welcome-file-list>

I added the log when I try to access my welcome page and it shows a 404 error:

18:36:26,309 DEBUG [jpa.support.OpenEntityManagerInViewFilter] Using EntityManagerFactory 'entityManagerFactory' for OpenEntityManagerInViewFilter
18:36:26,309 DEBUG [factory.support.DefaultListableBeanFactory] Returning cached instance of singleton bean 'entityManagerFactory'
18:36:26,309 DEBUG [jpa.support.OpenEntityManagerInViewFilter] Opening JPA EntityManager in OpenEntityManagerInViewFilter
18:36:26,309 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,309 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /resources/**; matched=false
18:36:26,309 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,309 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /favicon.ico; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/login/error; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/login; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/logout; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/newuser; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/inviteduser; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/error; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /**; matched=true
18:36:26,310 DEBUG [security.web.FilterChainProxy] / at position 1 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.session.ConcurrentSessionFilter@172cbae'
18:36:26,310 DEBUG [security.web.FilterChainProxy] / at position 2 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@a89e44'
18:36:26,311 DEBUG [web.context.HttpSessionSecurityContextRepository] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@1e4fb61: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1e4fb61: Principal: es.myComp.myApp.model.Usuario@a3c69a; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: CBDBA57F561C0D3C2AC576182D449F00; Granted Authorities: es.myComp.myApp.model.Role@1450701'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 3 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@17dfcf1'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 4 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@697087'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 5 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5acf13'
18:36:26,311 DEBUG [authentication.www.BasicAuthenticationFilter] Authorization header: null
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 6 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1d1282d'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 7 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@a4b9da'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 8 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@130f268'
18:36:26,311 DEBUG [web.authentication.AnonymousAuthenticationFilter] SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1e4fb61: Principal: es.myComp.myApp.model.Usuario@a3c69a; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: CBDBA57F561C0D3C2AC576182D449F00; Granted Authorities: es.myComp.myApp.model.Role@1450701'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 9 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@95772a'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 10 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@c26acd'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 11 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@1f1bf46'
18:36:26,311 DEBUG [access.intercept.DefaultFilterInvocationSecurityMetadataSource] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,312 DEBUG [access.intercept.DefaultFilterInvocationSecurityMetadataSource] Candidate is: '/'; pattern is /**; matched=true
18:36:26,312 DEBUG [access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /; Attributes: [ROLE_ANONIM, ROLE_GUEST, ROLE_BASIC, ROLE_ADMIN, ROLE_PREMIUM]
18:36:26,312 DEBUG [access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1e4fb61: Principal: es.myComp.myApp.model.Usuario@a3c69a; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: CBDBA57F561C0D3C2AC576182D449F00; Granted Authorities: es.myComp.myApp.model.Role@1450701
18:36:26,312 DEBUG [access.vote.AffirmativeBased] Voter: org.springframework.security.access.vote.RoleVoter@1b24628, returned: 1
18:36:26,312 DEBUG [access.intercept.FilterSecurityInterceptor] Authorization successful
18:36:26,312 DEBUG [access.intercept.FilterSecurityInterceptor] RunAsManager did not change Authentication object
18:36:26,312 DEBUG [security.web.FilterChainProxy] / reached end of additional filter chain; proceeding with original chain
18:36:26,312 DEBUG [web.access.ExceptionTranslationFilter] Chain processed normally
18:36:26,312 DEBUG [web.context.SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed
18:36:26,312 DEBUG [jpa.support.OpenEntityManagerInViewFilter] Closing JPA EntityManager in OpenEntityManagerInViewFilter
18:36:26,312 DEBUG [orm.jpa.EntityManagerFactoryUtils] Closing JPA EntityManager

Edit: It only happens when I am already logged. May it be a problem with the session?

Thanks in advance.

Edit: I have Spring 3.0.0 RC3 and Spring Security 3.0.0 RC1 It still happens, any idea?

A: 

mmmm, does this URL work http://localhost:8080/myApp/control/index or it shows a 404 too? It's the one in default-target-url property.

And without the / ? 

<welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
</welcome-file-list>
rodrigoap  2010-01-13 14:26:00
http://localhost:8080/myApp/control/index works but http://localhost:8080/myApp shows a 404 error
Javi  2010-01-13 15:40:35
it happens the same without the/
Javi  2010-01-13 17:43:06
A:  
<sec:intercept-url pattern="/**" access="ROLE_ANONIM,ROLE_GUEST,ROLE_BASIC,ROLE_ADMIN,ROLE_PREMIUM" />

is being qualified for the url there and can be access only by those users.

Also I noticed you using ROLE_ANONIM, but you haven't configured it to set as default role. I mean something like this

<sec:anonymous username="guest" granted-authority="ROLE_ANONIM"/>


<sec:intercept-url pattern="/control/login**" filters="none" />

Adding the above line should solve your problem

Teja Kantamneni  2010-01-20 20:15:53
My ROLE_ANONIM is an special Role which has more privileges than the anonymous one. My problem only happens when I'm already logged in the system and I try to access to the site again without loggin out.
Javi  2010-01-21 10:02:07
try adding this line<sec:intercept-url pattern="/control/login**" filters="none" />
Teja Kantamneni  2010-01-25 18:47:11
Thanks for your answer, but it doesn't work either. I don't get a AccessDeniedException as when I try to access a forbidden page. I think Spring Security catch the URL / but it doesn't know what to do with it.
Javi  2010-01-26 13:01:59
A: 

I solved it by the use of a JSP used just to redirect to the index.jsp REST url and by setting in the welcome-file the absolute path to the location where the JSP starting with a slash.

Javi  2010-03-05 10:32:57

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?