views:

1290

answers:

3

Hello,

I have a website which uses Spring Security. I have realized that when I am logged in the application and I tried to access the website again without closing this session I get a 404 error. I mean if my application has a context name "myApp" I can acess to localhost:8080/myApp when I am not logged in, but when I am logged in and I entered that URL I get the error. It doesn't happen for example if I enter localhost:8080/myApp/control/login which displays my login form correctly.

Here is my Spring -security configuration:

<beans
  xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:sec="http://www.springframework.org/schema/security"
  xsi:schemaLocation="
   http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
   http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd  
   http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"&gt;

<sec:http auto-config="true" access-denied-page="/control/login/error">
   <sec:intercept-url pattern="/resources/**" filters="none"/>
   <sec:intercept-url pattern="/favicon.ico" filters="none"/>
   <sec:intercept-url pattern="/control/login/error" filters="none"/>
   <sec:intercept-url pattern="/control/login" filters="none"/>
   <sec:intercept-url pattern="/control/logout" filters="none"/>
   <sec:intercept-url pattern="/control/newUser" filters="none"/>
   <sec:intercept-url pattern="/control/invitedUser" filters="none"/>
   <sec:intercept-url pattern="/control/error" filters="none"/>

   <sec:intercept-url pattern="/**" access="ROLE_ANONIM,ROLE_GUEST,ROLE_BASIC,ROLE_ADMIN,ROLE_PREMIUM" />
   <sec:form-login login-page='/control/login' default-target-url='/control/index' always-use-default-target='true' />
<sec:logout logout-success-url="/control/logout"/>  

<sec:session-management>
 <sec:concurrency-control expired-url="/control/login/error" />
</sec:session-management>

In my web.xml I have index.jsp as the welcome file

<welcome-file-list>
 <welcome-file>/index.jsp</welcome-file>
</welcome-file-list>

I added the log when I try to access my welcome page and it shows a 404 error:

18:36:26,309 DEBUG [jpa.support.OpenEntityManagerInViewFilter] Using EntityManagerFactory 'entityManagerFactory' for OpenEntityManagerInViewFilter
18:36:26,309 DEBUG [factory.support.DefaultListableBeanFactory] Returning cached instance of singleton bean 'entityManagerFactory'
18:36:26,309 DEBUG [jpa.support.OpenEntityManagerInViewFilter] Opening JPA EntityManager in OpenEntityManagerInViewFilter
18:36:26,309 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,309 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /resources/**; matched=false
18:36:26,309 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,309 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /favicon.ico; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/login/error; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/login; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/logout; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/newuser; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/inviteduser; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /control/error; matched=false
18:36:26,310 DEBUG [security.web.FilterChainProxy] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,310 DEBUG [security.web.FilterChainProxy] Candidate is: '/'; pattern is /**; matched=true
18:36:26,310 DEBUG [security.web.FilterChainProxy] / at position 1 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.session.ConcurrentSessionFilter@172cbae'
18:36:26,310 DEBUG [security.web.FilterChainProxy] / at position 2 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@a89e44'
18:36:26,311 DEBUG [web.context.HttpSessionSecurityContextRepository] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@1e4fb61: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1e4fb61: Principal: es.myComp.myApp.model.Usuario@a3c69a; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: CBDBA57F561C0D3C2AC576182D449F00; Granted Authorities: es.myComp.myApp.model.Role@1450701'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 3 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@17dfcf1'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 4 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@697087'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 5 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5acf13'
18:36:26,311 DEBUG [authentication.www.BasicAuthenticationFilter] Authorization header: null
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 6 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1d1282d'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 7 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@a4b9da'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 8 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@130f268'
18:36:26,311 DEBUG [web.authentication.AnonymousAuthenticationFilter] SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1e4fb61: Principal: es.myComp.myApp.model.Usuario@a3c69a; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: CBDBA57F561C0D3C2AC576182D449F00; Granted Authorities: es.myComp.myApp.model.Role@1450701'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 9 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@95772a'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 10 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@c26acd'
18:36:26,311 DEBUG [security.web.FilterChainProxy] / at position 11 of 11 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@1f1bf46'
18:36:26,311 DEBUG [access.intercept.DefaultFilterInvocationSecurityMetadataSource] Converted URL to lowercase, from: '/'; to: '/'
18:36:26,312 DEBUG [access.intercept.DefaultFilterInvocationSecurityMetadataSource] Candidate is: '/'; pattern is /**; matched=true
18:36:26,312 DEBUG [access.intercept.FilterSecurityInterceptor] Secure object: FilterInvocation: URL: /; Attributes: [ROLE_ANONIM, ROLE_GUEST, ROLE_BASIC, ROLE_ADMIN, ROLE_PREMIUM]
18:36:26,312 DEBUG [access.intercept.FilterSecurityInterceptor] Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1e4fb61: Principal: es.myComp.myApp.model.Usuario@a3c69a; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: CBDBA57F561C0D3C2AC576182D449F00; Granted Authorities: es.myComp.myApp.model.Role@1450701
18:36:26,312 DEBUG [access.vote.AffirmativeBased] Voter: org.springframework.security.access.vote.RoleVoter@1b24628, returned: 1
18:36:26,312 DEBUG [access.intercept.FilterSecurityInterceptor] Authorization successful
18:36:26,312 DEBUG [access.intercept.FilterSecurityInterceptor] RunAsManager did not change Authentication object
18:36:26,312 DEBUG [security.web.FilterChainProxy] / reached end of additional filter chain; proceeding with original chain
18:36:26,312 DEBUG [web.access.ExceptionTranslationFilter] Chain processed normally
18:36:26,312 DEBUG [web.context.SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed
18:36:26,312 DEBUG [jpa.support.OpenEntityManagerInViewFilter] Closing JPA EntityManager in OpenEntityManagerInViewFilter
18:36:26,312 DEBUG [orm.jpa.EntityManagerFactoryUtils] Closing JPA EntityManager

Edit: It only happens when I am already logged. May it be a problem with the session?

Thanks in advance.

Edit: I have Spring 3.0.0 RC3 and Spring Security 3.0.0 RC1 It still happens, any idea?

A: 

mmmm, does this URL work http://localhost:8080/myApp/control/index or it shows a 404 too? It's the one in default-target-url property.

And without the / ?

<welcome-file-list>
 <welcome-file>index.jsp</welcome-file>
</welcome-file-list>
rodrigoap
http://localhost:8080/myApp/control/index works but http://localhost:8080/myApp shows a 404 error
Javi
it happens the same without the/
Javi
A: 
<sec:intercept-url pattern="/**" access="ROLE_ANONIM,ROLE_GUEST,ROLE_BASIC,ROLE_ADMIN,ROLE_PREMIUM" />

is being qualified for the url there and can be access only by those users.

Also I noticed you using ROLE_ANONIM, but you haven't configured it to set as default role. I mean something like this

<sec:anonymous username="guest" granted-authority="ROLE_ANONIM"/>


<sec:intercept-url pattern="/control/login**" filters="none" />

Adding the above line should solve your problem

Teja Kantamneni
My ROLE_ANONIM is an special Role which has more privileges than the anonymous one. My problem only happens when I'm already logged in the system and I try to access to the site again without loggin out.
Javi
try adding this line<sec:intercept-url pattern="/control/login**" filters="none" />
Teja Kantamneni
Thanks for your answer, but it doesn't work either. I don't get a AccessDeniedException as when I try to access a forbidden page. I think Spring Security catch the URL / but it doesn't know what to do with it.
Javi
A: 

I solved it by the use of a JSP used just to redirect to the index.jsp REST url and by setting in the welcome-file the absolute path to the location where the JSP starting with a slash.

Javi

related questions