Reputation: 1796
Spring Security with MVC does not work for unauthenticated pages
I am working with Spring Security and Spring MVC. I have earlier configured Spring security successfully with Struts2. But I am doing it for the first time with Spring MVC. Also I am a complete newbie to Spring MVC.
Here is what I want :
1) I have a static page which is served from Apache.
2) On the static page I have a link to some pages which are hosted on tomcat and can be accessed through spring MVC URLs.
3) On one of the pages displayed in step 2 there will be a link which will take user to
login page which is again hosted on tomcat.
Following is my spring security configuration:
<http use-expressions="true">
<intercept-url pattern="/login/show/" access="permitAll()"></intercept-url>
<intercept-url pattern="/sales/**" access="permitAll()"></intercept-url>
<intercept-url pattern="/items/**" access="permitAll()"></intercept-url>
<intercept-url pattern="/images/**" access="permitAll()"></intercept-url>
<intercept-url pattern="/js/**" access="permitAll()"></intercept-url>
<intercept-url pattern="/css/**" access="permitAll()"></intercept-url>
<intercept-url pattern="/favicon.ico" access="hasRole('ROLE_ANONYMOUS')" />
<form-login login-page="/login/show/" always-use-default-target="true"
default-target-url="/login/success/" authentication-failure-url="/login/show/"
login-processing-url="/login/" password-parameter="userPassword"
username-parameter="userId" />
<logout logout-success-url="http://mysales.com" logout-url="/sales/" delete-cookies="JSESSIONID" invalidate-session="true"></logout>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="securityService" />
</authentication-manager>
<beans:bean id="securityService"
class="com.pricer.service.security.SecurityService">
<beans:property name="authDAO" ref="authDAO"></beans:property>
</beans:bean>
<beans:bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<beans:property name="basenames">
<beans:list>
<beans:value>securitymessages</beans:value>
</beans:list>
</beans:property>
</beans:bean>
4) When I hit mysales.com a static page in step 1 is displayed which has link to display all sales. and I give it as
<div> bold;font-size: 20px;text-align: center;">
<a href="/mysales/sales/">Sales</a>
</div>
5) when user clicks on "Sales" it should fire a Spring MVC URL that passes through spring
security filters and display a page with info regarding sales and
link to login page
When I click on the "Sales" link I get redirected to home page again that is to mysales.com
Here is what I get in my tomcat application log:
2014-05-21 03:37:58.279 [DEBUG] org.springframework.security.web.FilterChainProxy:337 - /sales/ at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2014-05-21 03:37:58.280 [DEBUG] org.springframework.security.web.context.HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
2014-05-21 03:37:58.280 [DEBUG] org.springframework.security.web.context.HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created.
2014-05-21 03:37:58.280 [DEBUG] org.springframework.security.web.FilterChainProxy:337 - /sales/ at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
2014-05-21 03:37:58.280 [DEBUG] org.springframework.security.web.authentication.logout.LogoutFilter:93 - Logging out user 'null' and transferring to logout destination
2014-05-21 03:37:58.282 [DEBUG] org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler:107 - Using default Url: http://mysales.com
2014-05-21 03:37:58.283 [DEBUG] org.springframework.security.web.DefaultRedirectStrategy:36 - Redirecting to 'http://mysales.com'
2014-05-21 03:37:58.283 [DEBUG] org.springframework.security.web.context.HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2014-05-21 03:37:58.283 [DEBUG] org.springframework.security.web.context.SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
6) But when I try to access images directly they get accessed perfectly fine(ie if i access mysales.com/mysales/images/logo.png it works fine and image is displayed). then why not mysales.com/mysales/sales/ url passes the security chain of spring security?
Upvotes: 0
Views: 479
Answers (1)
Reputation: 22742
You have logout-url="/sales/" in your logout configuration, which means this is acting as the logout link for the application and attempting to logout the user and then redirect them to the logout success URL.
With this configuration, your MVC handler for this URL (or indeed a struts one) will be ignored. You should change the logout URL to something more appropriate - like /logout.
Upvotes: 1
Related Questions
- Spring MVC/Security - Users still can access login page after successful login
- How to prevent redirecting unauthenticated users to login page in Spring Security?
- After Spring Security authentication get HTTP Status 404 error
- spring security ignores authentication-failure-url
- Spring security not redirecting to login page when users is not authenticated
- Spring Security show 404 if user is not authorize
- Spring Security redirects to forbidden page(403)
- Spring Security: Cannot access target page even after successful login
- Spring Security ignores failed authentication
- spring security 3.1 isAuthenticated() not working