CODEWITHSUNDEEP
javaspringjspspring-mvc
Billy Sneddon
Billy Sneddon

Reputation: 239

Spring Security

i am having problems with spring security and displaying error messages

here is what i have in my root-context.xml

   `<context:property-placeholder location="classpath:config.properties" /> 
    <!-- Register the Customer.properties -->
    <bean id="messageSource"
        class="org.springframework.context.support.ResourceBundleMessageSource">
       <property name="basename" value="mymessages" />
    </bean>

<security:http auto-config='true'>
<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-URL pattern="/**" access="ROLE_USER" />
<security:form-login login-page='/login' default-target-url="/" 
    authentication-failure-URL="/loginfailed"/>
<security:logout logout-success-url="/" logout-URL="/j_spring_security_logout" />   

</security:http>
<security:authentication-manager> 
<security:authentication-provider>
<security:user-service>
<security:user name="billy" password="123456" authorities="ROLE_USER" />     
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>`

and in my web.xml is

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <URL-pattern>/*</URL-pattern>
</filter-mapping>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

and my .jsp is

<body>
    <%@ include file="include/login1.jsp"%>

    <c:if test="${not empty error}">
    <div class="errorblock">Your login attempt was not successful, try again.<br/> Caused :
    </div>
    </c:if>

</body>
</html>

when i login with wrong user credentials the first time it just reloads the login page. then if i login with the correct login credentials it will the load login with the text "Your login attempt was not successful, try again. Caused :" but no spring message saying bad credentials after cause : any help on this matter is much appreciated

Upvotes: 1

Views: 3579

Answers (2)

Nalla Srinivas
Nalla Srinivas

Reputation: 933

Remove this line and try

<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />

and 

 auto-config='true'

it is only required when you configure services manually. may be work

Upvotes: 0

reblace
reblace

Reputation: 4185

It looks like your authentication failed URL requires authentication.

<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-URL pattern="/**" access="ROLE_USER"/>

This configuration will only allow unauthenticated people to get to the /login page, but not the /loginfailed page. Try changing the login intercept-url's to:

<security:intercept-URL pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-URL pattern="/**" access="ROLE_USER"/>

Alternately, you could just add another intercept url that specifically calls out the /loginfailed url.

What's probably happening is that the first time you try to login, it's redirecting you to the login failed page "/loginfailed", which causes another redirect back to the login page due to the authentication failure. Then, when you correctly login, it redirects you back to the "/loginfailed" page because that was the original request before the login redirect.

There's another parameter you can use that will always send you to the default-taget... 

<form-login login-page='/login' default-target-url='/'
    authentication-failure-url="/loginfailed" always-use-default-target='true' />

Give that a shot and see if it works.

Edit: Here's a complete example of a security setup. In this setup, I'm using additional http declarations instead of additional intercept-url's. My login.jsp changes its content based on the login_error parameter (eg. login_error=1 makes it put up a message saying 'username or password was incorrect' and login_error=2 makes it put up a message saying that the session has timed out and to please login again).

<!--  No security on js,css,image and other static resources -->
<http pattern="/resources/**" security="none" />

<!--  No security on error pages -->
<http pattern="/error/**" security="none" />

<!--  No security on pages starting with login -->
<http pattern="/login*" security="none" />

<http auto-config='true'>
    <!--  Everything else requires ROLE_USER -->
    <intercept-url pattern="/**" access="ROLE_USER" />  
    <access-denied-handler error-page="/error/403"/>

    <!-- Custom login page -->
    <form-login login-page='/login' default-target-url='/'
        authentication-failure-url="/login?login_error=1"
        always-use-default-target='false' />

    <!-- Allow user to stay logged in -->
    <remember-me />

    <!-- Custom logout page and remove the session id cookie -->
    <logout logout-url='/logout' delete-cookies="JSESSIONID"/>
    <session-management>
        <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
    </session-management>

    <!-- Custom session timeout page -->
    <session-management invalid-session-url="/login?login_error=2" />
</http>

Upvotes: 2

Related Questions