Richie
Reputation: 5199
stop spring security blocking access to my resources folder
I'm stumped with a problem that I have been working all day on trying to resolve. I have just moved my spring mvc web application from 3.0.5.RELEASE to 3.1.0.RELEASE and have found that the behavior of spring security is different for what I have configured.
My error is manifesting itself when I try to load my login page. The errors are doc type errors...
But after having done some research I came to understand that the error message is telling me that the css and js resources I am trying to load in my login page cannot be found (or is my case spring security is not allowing access to them).
I have tried all day to tweak the spring security files to allow access to the css and js resources but can't get the configuration right. Would really appreciate some help.
Here is my project structure...
Tomcat Webapps>
>ReportingManager
>WEB-INF
>pages
>spring-application-context.xml
>spring-security.xml
>spring-database.xml
>spring-resources.xml
>spring-managers.xml
>resources
>css
>images
>reports
Here is my web.xml...
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-application-context.xml</param-value>
</context-param>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Here is my spring-security.xml file....
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:global-method-security secured-annotations="enabled" />
<http pattern="/**/*.css" security="none" />
<http pattern="/**/*.js" security="none" />
<http pattern="/**/*.png" security="none" />
<http pattern="/**/*.jpg" security="none" />
<http pattern="/**/*.gif" security="none" />
<security:http auto-config="true">
<!-- Login and log out -->
<security:form-login
login-page="/login"
default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<security:logout logout-success-url="/logout" />
<intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_LEVEL7" />
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY,ROLE_LEVEL7" />
<intercept-url pattern="/welcome" access="ROLE_LEVEL7" />
<intercept-url pattern="/priceOverride" access="ROLE_LEVEL7" />
</security:http>
<!-- Authentication -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userDetailsDao">
<security:password-encoder hash="md5" />
</security:authentication-provider>
</security:authentication-manager>
</beans>
And just for completeness here is my application context....
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- import XML fragments to use in the application context -->
<import resource="spring-database.xml" />
<import resource="spring-resources.xml" />
<import resource="spring-managers.xml" />
<import resource="spring-security.xml" />
</beans>
And also my mvc-dispatcher-servlet.xml...
<context:component-scan base-package="com.myer.reporting.controller" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/pages/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:annotation-driven />
I'm so sorry for the long post but want to make sure I don't leave any valuable information out. I know it is definitely spring security causing the issue because when I was on 3.0.5.RELEASE I could hit the css and javascript in the browser. But when I try to do the same with 3.1.0.RELEASE I can't hit the css or js. But the other confusing thing about this is that I am not getting 403 errors. Instead it just keeps me at the current page (login.htm).
thanks for your help. Even though it would be embarrassing I hope it is something easy to fix that I have missed.
Update --> I've tried some of the answers below unsuccessfully. But I did manage to get some output from the logs and have attached the output below to see if anyone can tell would might be happening. I've also updated my original configuration slightly based on the help you gave me.
2014-01-07 12:50:43,362 INFO [SpringSecurityCoreVersion] - You are running with Spring Security Core 3.1.4.RELEASE
2014-01-07 12:50:43,362 INFO [SecurityNamespaceHandler] - Spring Security 'config' module version is 3.1.4.RELEASE
2014-01-07 12:50:43,455 INFO [HttpSecurityBeanDefinitionParser] - Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 200, Root bean: class [org.springframework.security.web.authentication.logout.LogoutFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 400, <org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0>, order = 800, Root bean: class [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1200, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1400, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1800, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1900, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 2000]
2014-01-07 12:50:44,236 INFO [DefaultSecurityFilterChain] - Creating filter chain: Ant [pattern='/**/*.css'], []
2014-01-07 12:50:44,283 INFO [DefaultSecurityFilterChain] - Creating filter chain: Ant [pattern='/**/*.js'], []
2014-01-07 12:50:44,283 INFO [DefaultSecurityFilterChain] - Creating filter chain: Ant [pattern='/**/*.png'], []
2014-01-07 12:50:44,283 INFO [DefaultSecurityFilterChain] - Creating filter chain: Ant [pattern='/**/*.jpg'], []
2014-01-07 12:50:44,283 INFO [DefaultSecurityFilterChain] - Creating filter chain: Ant [pattern='/**/*.gif'], []
2014-01-07 12:50:44,704 DEBUG [FilterSecurityInterceptor] - Validated configuration attributes
2014-01-07 12:50:44,704 INFO [DefaultSecurityFilterChain] - Creating filter chain: org.springframework.security.web.util.AnyRequestMatcher@1, [org.springframework.security.web.context.SecurityContextPersistenceFilter@64dfeb, org.springframework.security.web.authentication.logout.LogoutFilter@a8c19b, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@13eb2bc, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@14865b1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@c5575, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1be8bf1, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@d591a6, org.springframework.security.web.session.SessionManagementFilter@14d6015, org.springframework.security.web.access.ExceptionTranslationFilter@df39bc, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@147788d]
2014-01-07 12:50:44,720 INFO [DefaultFilterChainValidator] - Checking whether login URL '/login' is accessible with your configuration
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/**/*.css'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/**/*.js'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/**/*.png'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/**/*.jpg'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/**/*.gif'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/resources/**'
2014-01-07 12:50:44,720 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login'; against '/login'
2014-01-07 12:50:44,720 DEBUG [AffirmativeBased] - Voter: org.springframework.security.access.vote.RoleVoter@a3ce3f, returned: -1
2014-01-07 12:50:44,720 DEBUG [AffirmativeBased] - Voter: org.springframework.security.access.vote.AuthenticatedVoter@39b99d, returned: 1
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/**/*.css'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/**/*.js'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/**/*.png'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/**/*.jpg'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/**/*.gif'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-01-07 12:52:00,472 DEBUG [HttpSessionSecurityContextRepository] - No HttpSession currently exists
2014-01-07 12:52:00,472 DEBUG [HttpSessionSecurityContextRepository] - No SecurityContext was available from the HttpSession: null. A new one will be created.
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-01-07 12:52:00,472 DEBUG [AnonymousAuthenticationFilter] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-01-07 12:52:00,472 DEBUG [SessionManagementFilter] - Requested session ID 5CB169513CF0935187728353885EB4EF is invalid.
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/resources/**'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/login'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/welcome'
2014-01-07 12:52:00,472 DEBUG [AntPathRequestMatcher] - Checking match of request : '/index.jsp'; against '/priceoverride'
2014-01-07 12:52:00,472 DEBUG [FilterSecurityInterceptor] - Public object - authentication not attempted
2014-01-07 12:52:00,472 DEBUG [FilterChainProxy] - /index.jsp reached end of additional filter chain; proceeding with original chain
2014-01-07 12:52:01,659 DEBUG [HttpSessionEventPublisher] - Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@818805]
2014-01-07 12:52:01,659 DEBUG [HttpSessionSecurityContextRepository] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-01-07 12:52:01,659 DEBUG [ExceptionTranslationFilter] - Chain processed normally
2014-01-07 12:52:01,659 DEBUG [SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/**/*.css'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/**/*.js'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/**/*.png'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/**/*.jpg'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/**/*.gif'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-01-07 12:52:01,675 DEBUG [HttpSessionSecurityContextRepository] - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2014-01-07 12:52:01,675 DEBUG [HttpSessionSecurityContextRepository] - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@818805. A new one will be created.
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2014-01-07 12:52:01,675 DEBUG [AnonymousAuthenticationFilter] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9054b1a2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: 6797458107289A1298C0F15240BC0CB4; Granted Authorities: ROLE_ANONYMOUS'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/resources/**'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/login'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/welcome'
2014-01-07 12:52:01,675 DEBUG [AntPathRequestMatcher] - Checking match of request : '/login.html'; against '/priceoverride'
2014-01-07 12:52:01,675 DEBUG [FilterSecurityInterceptor] - Public object - authentication not attempted
2014-01-07 12:52:01,675 DEBUG [FilterChainProxy] - /login.html reached end of additional filter chain; proceeding with original chain
2014-01-07 12:52:02,846 DEBUG [HttpSessionSecurityContextRepository] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-01-07 12:52:02,846 DEBUG [ExceptionTranslationFilter] - Chain processed normally
2014-01-07 12:52:02,846 DEBUG [SecurityContextPersistenceFilter] - SecurityContextHolder now cleared, as request processing completed
2014-01-07 12:52:02,862 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/css/header.css'; against '/**/*.css'
2014-01-07 12:52:02,862 DEBUG [FilterChainProxy] - /resources/css/header.css has an empty filter list
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/grid.locale-en.js'; against '/**/*.css'
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery-1.7.1.min.js'; against '/**/*.css'
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/grid.locale-en.js'; against '/**/*.js'
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery-1.7.1.min.js'; against '/**/*.js'
2014-01-07 12:52:02,877 DEBUG [FilterChainProxy] - /resources/js/grid.locale-en.js has an empty filter list
2014-01-07 12:52:02,877 DEBUG [FilterChainProxy] - /resources/js/jquery-1.7.1.min.js has an empty filter list
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.metadata.js'; against '/**/*.css'
2014-01-07 12:52:02,877 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.metadata.js'; against '/**/*.js'
2014-01-07 12:52:02,877 DEBUG [FilterChainProxy] - /resources/js/jquery.metadata.js has an empty filter list
2014-01-07 12:52:02,893 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.jqgrid.min.js'; against '/**/*.css'
2014-01-07 12:52:02,893 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.jqgrid.min.js'; against '/**/*.js'
2014-01-07 12:52:02,893 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.validate.min.js'; against '/**/*.css'
2014-01-07 12:52:02,893 DEBUG [FilterChainProxy] - /resources/js/jquery.jqGrid.min.js has an empty filter list
2014-01-07 12:52:02,893 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.validate.min.js'; against '/**/*.js'
2014-01-07 12:52:02,893 DEBUG [FilterChainProxy] - /resources/js/jquery.validate.min.js has an empty filter list
2014-01-07 12:52:02,909 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/messages.js'; against '/**/*.css'
2014-01-07 12:52:02,909 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/messages.js'; against '/**/*.js'
2014-01-07 12:52:02,909 DEBUG [FilterChainProxy] - /resources/js/messages.js has an empty filter list
2014-01-07 12:52:02,909 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.hotkeys-0.8.js'; against '/**/*.css'
2014-01-07 12:52:02,909 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/jquery.hotkeys-0.8.js'; against '/**/*.js'
2014-01-07 12:52:02,909 DEBUG [FilterChainProxy] - /resources/js/jquery.hotkeys-0.8.js has an empty filter list
2014-01-07 12:52:02,909 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/shortcut-keys.js'; against '/**/*.css'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/constants.js'; against '/**/*.css'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/validation.js'; against '/**/*.css'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/common.js'; against '/**/*.css'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/shortcut-keys.js'; against '/**/*.js'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/constants.js'; against '/**/*.js'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/validation.js'; against '/**/*.js'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/common.js'; against '/**/*.js'
2014-01-07 12:52:02,924 DEBUG [FilterChainProxy] - /resources/js/shortcut-Keys.js has an empty filter list
2014-01-07 12:52:02,924 DEBUG [FilterChainProxy] - /resources/js/validation.js has an empty filter list
2014-01-07 12:52:02,924 DEBUG [FilterChainProxy] - /resources/js/common.js has an empty filter list
2014-01-07 12:52:02,924 DEBUG [FilterChainProxy] - /resources/js/constants.js has an empty filter list
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/pages/login.js'; against '/**/*.css'
2014-01-07 12:52:02,924 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/js/pages/login.js'; against '/**/*.js'
2014-01-07 12:52:02,924 DEBUG [FilterChainProxy] - /resources/js/pages/login.js has an empty filter list
2014-01-07 12:52:02,940 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/css/yaml/yaml/core/js/yaml-focusfix.js'; against '/**/*.css'
2014-01-07 12:52:02,940 DEBUG [AntPathRequestMatcher] - Checking match of request : '/resources/css/yaml/yaml/core/js/yaml-focusfix.js'; against '/**/*.js'
2014-01-07 12:52:02,940 DEBUG [FilterChainProxy] - /resources/css/yaml/yaml/core/js/yaml-focusfix.js has an empty filter list
Upvotes: 1
Views: 11066
Answers (3)
Richie
Reputation: 5199
I had some help on this. The issue was that I needed to change the following in my web.xml...
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>*.rep</url-pattern>
</servlet-mapping>
Upvotes: 0
Alexey
Reputation: 2592
Try to replace both instances of
IS_AUTHENTICATED_ANONYMOUSLY
with
IS_AUTHENTICATED_ANONYMOUSLY,ROLE_LEVEL7
If it does not work, try to replace
IS_AUTHENTICATED_ANONYMOUSLY
with
ROLE_ANONYMOUS,ROLE_LEVEL7
I do not know much about IS_AUTHENTICATED_ANONYMOUSLY but the difference between ROLE_ANONYMOUS and IS_AUTHENTICATED_ANONYMOUSLY is explained here.
You should add ROLE_LEVEL7 to ROLE_ANONYMOUS/IS_AUTHENTICATED_ANONYMOUSLY because authenticated users do not belong to the buid-in role ROLE_ANONYMOUS (and the /resources/ directory is not available to them).
If neither works, try to remove all <security:intercept-url> tags temporarily to see if your application works without any security restrictions.
Upvotes: 1
Shaun the Sheep
Reputation: 22762
Try adding
<security:http pattern="/resources/**" security="none" />
above your existing configuration, which will prevent any of the Spring Security filters from being applied to requests matching that pattern..
Always enable debug logging and check the log to see why spring security handles a request a particular way.
Upvotes: 2
Related Questions
- Spring security does not allow CSS or JS resources to be loaded
- spring security doesn't load the resources (images, css)
- How to fix access to resources using spring security?
- spring security HTTP Status 403 - Access Denied
- After spring security implementation it's blocking all resources in my static folder?
- Serving static resources in spring security - Allow access to all files in '/resources/public'
- How to disable spring security for certain resource paths
- Spring Security Access Denied
- j_spring_security_check - The requested resource is not available
- Spring MVC 3.2 resource directory produces 404 Errors