Why would a Spring login form not reveal any error information for a failed login?

Question

My Spring MVC app is not allowing any logins and I can't figure out why.

I've added logging to the Login Controller but nothing is being outputted there.

The login page just seems to automatically redirect to the error page without going through the Login Controller.

Any ideas how to debug this problem?

<http auto-config="false" access-decision-manager-ref="accessDecisionManager" use-expressions="true">
    <intercept-url pattern="/login/**" access="hasRole('ROLE_ANONYMOUS')" requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/error/**" access="hasRole('ROLE_ANONYMOUS')" requires-channel="http" />
    <intercept-url pattern="/register/**" access="hasRole('ROLE_ANONYMOUS')" requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/" access="hasRole('ROLE_ANONYMOUS')" requires-channel="http" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" requires-channel="http" />
    <form-login login-page="/login" login-processing-url="/login/submit" authentication-failure-url="/login/error" />
    <logout logout-url="/logout" />
</http>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder hash="sha-256" base64="true">
            <salt-source user-property="salt" />
        </password-encoder>
    </authentication-provider>
</authentication-manager>

<beans:bean id="userDetailsService" class="com.my.UserDetailsServiceImpl">
</beans:bean>

<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
    <beans:constructor-arg value="256" />
    <beans:property name="encodeHashAsBase64" value="true" />
</beans:bean>

<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <beans:property name="hierarchy">
        <beans:value>
            ROLE_ADMIN > ROLE_USER
            ROLE_USER > ROLE_ANONYMOUS
        </beans:value>
    </beans:property>
</beans:bean>

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
        <beans:list>
            <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
                <beans:property name="expressionHandler">
                    <beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
                        <beans:property name="roleHierarchy" ref="roleHierarchy" />
                    </beans:bean>
                </beans:property>
            </beans:bean>
        </beans:list>
    </beans:property>
</beans:bean>

Answer 1

If there's no Spring Security related log information which is useful, the next step I'd take is setting a breakpoint in org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpServletRequest, HttpServletResponse, FilterChain) and follow down the path.

Answer 2

If there is no SpringSecurity logging, then you should be checking the logging configs. I know for a fact that if you correctly configure logging, and set the log level to DEBUG you will get copious log messages.

(And if you cannot get logging working at all, direct output to System.err might be an option ...)

Why would a Spring login form not reveal any error information for a failed login?

As a general rule, revealing to the end user too much about why his login attempt failed is bad for security. For instance, if you tell the user that the account name is wrong or the password is wrong, a hacker can attack the two credential components separately.

Answer 3

My Spring MVC app is not allowing any logins and I can't figure out why.

Ensure you have added the following line in your log4j.properties for logging security related exception.

log4j.logger.org.springframework.security = DEBUG

If you haven't added, do it, after that you should be able to see something like(shown below) this in your log file.

Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials

In case you want to debug, put a debug pointer in ExceptionTranslationFilter.java in the following method:

private void handleException(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
            RuntimeException exception) throws IOException, ServletException {
        if (exception instanceof AuthenticationException) {
            if (logger.isDebugEnabled()) {
                logger.debug("Authentication exception occurred; redirecting to authentication entry point", exception);
            }

            sendStartAuthentication(request, response, chain, (AuthenticationException) exception);
        }

        ....
    }

I've added logging to the Login Controller but nothing is being outputted there.

Your LoginController will not be invoked till the successful authentication.