Spring Security 404 error

Question

I want to use spring security for authentification but when I try to access the site, I get the 404 error on all requests. I'm trying to debug this for few days, but nothing work for me.

Here is my web.xml :

<!-- Spring MVC -->
<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-database.xml,
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

spring-security.xml:

<context:component-scan base-package="com.example.users.service"/>

<http auto-config="true" use-expressions="true" authentication-manager-ref="authManager">
    <intercept-url pattern="/j_spring_security_check" access="permitAll"/>
    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />

    <access-denied-handler error-page="/403" />
    <form-login 
        login-page="/login" 
        default-target-url="/welcome"
        authentication-failure-url="/login?error" 
        username-parameter="username"
        password-parameter="password" />
    <logout logout-success-url="/login?logout" />
    <csrf />
</http>

<authentication-manager id="authManager">
    <authentication-provider user-service-ref="myUserDetailsService" />
</authentication-manager>

spring-database.xml:

<tx:annotation-driven transaction-manager="transactionManager"/>

<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
    <property name="driverClassName" value="com.mysql.jdbc.Driver" />
    <property name="url" value="jdbc:mysql://localhost:3306/test" />
    <property name="username" value="root" />
     <property name="password" value="12345678" />
</bean>

<bean id="sessionFactory"
    class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
    <property name="dataSource" ref="dataSource" />
    <property name="hibernateProperties">
        <props>
            <prop key="hibernate.dialect">org.hibernate.dialect.MySQL5Dialect</prop>
            <prop key="hibernate.format_sql">true</prop>
            <prop key="hibernate.show_sql">true</prop>
        </props>
    </property>
    <property name="packagesToScan" value="com.example.users.model"/>
</bean>

<bean id="transactionManager"
    class="org.springframework.orm.hibernate4.HibernateTransactionManager">
    <property name="sessionFactory" ref="sessionFactory"/>
</bean>

and mvc-dispatcher-servlet.xml:

<context:component-scan base-package="com.example.*" />

<bean
    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="prefix">
        <value>/WEB-INF/pages/</value>
    </property>
    <property name="suffix">
        <value>.jsp</value>
    </property>
</bean>

Any help would be greatly appreciated.

Thanks.

Answer 1

Assuming Dmitriy might have solved this by now, I am answering on the hopes that it may be useful for others who stumble upon on this issue.

1. I cannot find the spring mvc dispatcher servlet config xml.
2. We dont need to add component scan specially in the spring security xml configuration if its already taken care in the spring configuration.
3. The intercept-url pattern="/j_spring_security_check" access="permitAll" may not be required. Spring security is intelligent, it will only apply security for the url pattern mentioned. All other urls are free to access.
4. Depending on Spring security version, /j_spring_security_check or /login url should be used in the form action. Former is used in Spring 3.x and latter is used in Spring 4.x
5. login-page attribute in form-login must match a url in the spring mvc application through controller mapping or xml mapping.
6. Finally, important thing is, if you mess up a single config in spring security xml, spring will let you run the app but it will always result in 404. So make sure you have all urls mapped to controller mapping, all pages are resolvable in the spring mvc application.

For example, if the access-denied-handler error-page="/403" element cannot find /403 mapping then it will result in 404 error though the user is authenticated and authorized successfully.

if you debug the spring security framework how all the filters are working, you can see how your application is behaving.

<i><debug/></i> element in spring security can help.

Please let me know if this helps.

Answer 2

We don't know what version of Spring Security you are using, but if you have 4.X.X then this url won't work: /j_spring_security_check. They have changed it to /login.

Here is the docs.

I think this config should do the trick:

<http auto-config="true" use-expressions="true" authentication-manager-ref="authManager">
    <form-login
            login-page="/login"
            default-target-url="/welcome"
            always-use-default-target="true"
            authentication-failure-url="/login?error"
            username-parameter="username"
            password-parameter="password"/>
    <access-denied-handler error-page="/403" />
    <intercept-url pattern="/**" access="isAuthenticated()"/>
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
    <intercept-url pattern="/login" access="permitAll"/> 
    <logout logout-success-url="/login?logout" />
    <csrf />
</http>