CODEWITHSUNDEEP
javaspringjakarta-eespring-security
fvdalcin
fvdalcin

Reputation: 1047

Spring Security + Container Managed Authentication issue

I'm using Spring Security Framework + Spring MVC in order to build a secured web application. The authentication of my users must be handled by my container. I followed those 2 steps in order to achieve that:

  1. Secured my whole application in my web.xml file:

    <login-config>
    <auth-method>FORM</auth-method>
</login-config>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Public</web-resource-name>
        <description>Matches unconstrained pages</description>
        <url-pattern>/resources/*</url-pattern>
    </web-resource-collection>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured Areas</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Everyone</role-name>
    </auth-constraint>
</security-constraint>

  2. Set up Spring Security with the following class:

    @Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/resources/**").permitAll()
            .anyRequest().authenticated()
        .and()
            .jee().mappableRoles("Admin", "User");
}

    }

This configuration seems to be working, for I have to authenticate whenever I try to access any URL within my application context except the static resources (in the /resources/ folder). Then after the login, the correct URL and page are shown (as expected). However, if I try to access another link, I have to log in again. Then, the correct URL and page are shown, and I can access any links without having to log in again. So, my question is: why do I have to log in twice in order not to be requested to log in again?

Upvotes: 1

Views: 1055

Answers (1)

Brian Blain
Brian Blain

Reputation: 912

I'm not really an expert on this topic but the way I figured it out was that the session was possibly being created by both the container and spring security. My container authentication is handled by WebLogic. There were a bunch of google results that show how to write a custom filter for preauth but it still never seemed to work right until I changed spring security to be stateless.

<http auto-config="false" use-expressions="true" disable-url-rewriting="true"
    create-session="stateless" entry-point-ref="http403EntryPoint">

Upvotes: 2

Related Questions