ERR_TOO_MANY_REDIRECTS after add row to security config

Question

I add row

<intercept-url pattern="/*" access="isAuthenticated()"/> 

to security_config.xml and browser say me

ERR_TOO_MANY_REDIRECTS

security_config.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http use-expressions="true">
<!--        <intercept-url pattern="/*" access="permitAll" /> -->
        <intercept-url pattern="/*" access="isAuthenticated()"/> 
        <form-login login-page="/home.jsp"
            authentication-failure-url="/loginFailed" default-target-url="/index" />
        <logout logout-success-url="/logOut" />
    </http>
    <authentication-manager>
<!--        <authentication-provider ref="provider" /> -->
<authentication-provider>
    <user-service>
    <user name="name" authorities="ROLE_USER"/>
    </user-service>
</authentication-provider>
    </authentication-manager>

</beans:beans>

home.jsp:

<%@ page language="java" contentType="text/html; charset=utf8"
    pageEncoding="utf8"%>
<%@taglib uri="http://www.springframework.org/tags" prefix="spring"%>
<%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@ taglib prefix="sec"
    uri="http://www.springframework.org/security/tags"%>
<html>
<head>
<title>Home</title>
</head>
<body>
    <h1>
        Hello,
        <sec:authentication property="principal" />!
    </h1>
    <c:set var="username">
        <sec:authentication property="principal" />
    </c:set>
    <p style="color:#ff0000">${message}</p>

    <c:if test="${username != 'anonymousUser'}">
        <form method="POST" action="j_spring_security_logout">
            <input type="submit" value="log out">
        </form>
        <jsp:include page="WEB-INF/views/menu.jsp" flush="true" />
    </c:if>
    <form method="POST" action="<c:url value="/j_spring_security_check" />" <c:if test="${username != 'anonymousUser'}">hidden="true"</c:if>>
        <table>
            <tr>
                <td align="right">login</td>
                <td><input type="text" name="j_username" id="login"
                    onkeyup="validate()" /></td>
            </tr>
            <tr>
                <td align="right">password</td>
                <td><input type="password" name="j_password" id ="passwordId" onkeyup="validate()" /></td>
            </tr>
            <tr>
                <td align="right">remember me</td>
                <td><input type="checkbox" name="_spring_security_remember_me" /></td>
            </tr>
            <tr>
                <td colspan="2" align="right"><input type="submit"
                    value="Login" id="idSubmit" disabled /> <input type="reset"
                    value="Reset" /></td>
            </tr>
        </table>
    </form>

</body>
<script type="text/javascript">
    function validate() {
        element = document.getElementById("idSubmit");
        element1 = document.getElementById("login");
        resultMatch = element1.value.match('([a-zA-Z0-9])+(_){1}([a-zA-Z0-9])+')
        if (resultMatch == null){
            element.setAttribute("disabled", "disabled");
            return
        }
        if(resultMatch[0] == element1.value && document.getElementById("passwordId").value !="" ){
            element.removeAttribute("disabled");
            return
        }
        else
            element.setAttribute("disabled", "disabled");

    }
    window.onload = "validate()";
</script>
</html>

but if I write so

<intercept-url pattern="/*" access="permitAll" /> 

it works good.

Can you help me?

Answer 1

The same could happen to logout phase when you have the following configuration: http.logout().logoutSuccessUrl("/logout").permitAll(); Reason: Spring security first run HttpSecurity class getHttp method where it initializes a http object. And later when you customize this object through configure(HttpSecurity http) method you are actually overwriting those same fields. By default, /logout is used as a logout url, if success then it redirects to logout success url. This is shown in figure:

But if the logout success url is configured the same as /logout, then an infinite redirect loop is waiting out there. Today I opened this pandora box.

Answer 2

<intercept-url pattern="/*" access="isAuthenticated()"/>

means that authentication is required for all URLs. This includes your login URL. What's happening is that you hit a URL, spring sees auth is required, so it redirects to the login URL, however you can't access the login URL unless you're authed, so it redirects you to the login URL - hence an infinite redirect loop.

Spring evaluates the intercept URLs in the order you define them, so you can solve it by adding a line above the catch all, telling spring that auth is not required for the login URL. You should also add a line for the URL you forward to after logout and failed login, otherwise its just going to ask you to log in again.

<intercept-url pattern="/home.jsp" access="permitAll" /> 
<intercept-url pattern="/*" access="isAuthenticated()" />