Spring Security - Bad credentials when deploying from Tomcat 6 to Tomcat 7

Question

I have a web application that uses Spring Security for authentication. IT WAS WORKING FINE in Tomcat 6. I had to deploy it to Tomcat 7 as per business requirement change, and now is not working.

spring-security.xml ( for simplicity, I changed the query)

<form-login login-page="/redirect" 
        login-processing-url="/submitLogin" 
        username-parameter="j_username" 
        password-parameter="j_password" 
        authentication-failure-handler-ref="loginFailureHandler" 
        authentication-success-handler-ref="loginSuccessHandler" />

 <authentication-manager>
    <authentication-provider>
        <jdbc-user-service 
            data-source-ref="sybaseDataSource" 
            users-by-username-query="SELECT distinct EnterpriseID as username, 'password' as password, 1 as enabled FROM users where id = ?" 
            authorities-by-username-query="SELECT ? as id, 'ROLE_USER' as authority" 
           <!-- I know, it shouldnt be like this, just for the sake of the user having an authority -->
        />
    </authentication-provider>
</authentication-manager>

the form from jsp:(This is actually a redirect wherein the user and password are populated and the form is submitted using javascript(jquery)

                <form method="POST" action="/submitLogin" id="login-form-sso"> 

                <input type="text" name='j_username' value="${user}"/>
                <input type="text" name='j_password' value="password"/>
            </form>

       $(document).ready(function(){
        $("#login-form-sso").submit();
    });

When deployed in Tomcat 7, it ALWAYS go to loginFailureHandler. Upon debugging, I notice that the username is not "seen" by Spring security, trying to query with a user of ''

    org.springframework.jdbc.core.JdbcTemplate , Executing prepared SQL statement [SELECT distinct EnterpriseID as username, 'password' 
org.springframework.jdbc.datasource.DataSourceUtils , Fetching JDBC Connection from DataSource
org.springframework.jdbc.datasource.DataSourceUtils , Returning JDBC Connection to DataSource
org.springframework.security.provisioning.JdbcUserDetailsManager , Query returned no results for user ''
org.springframework.security.authentication.dao.DaoAuthenticationProvider , User '' not found
org.springframework.beans.factory.support.DefaultListableBeanFactory , Returning cached instance of singleton bean 'sessionRegistry'

Again, this works perfectly fine in Tomcat 6. I also checked the JSP form and it did contain the user credentials, for some reason, it looks like Spring security cant find it.

Can anyone please point me to the right direction? I appreciate your inputs. Thanks

UPDATE: I think one of the Filter on the filter chain is the culprit, consuming the parameters from the request body. will investigate further.

Answer 1

We experienced the same strange behaviour. We received nothing but null-values from our forms.

It turned out that there was a change in interpreting the maxPostSize-Parameter in the Connector-Configuration within the server.xml-File. From Tomcat Version 7.0.63 upwards maxPostSize="0" is indeed interpreted as a maximum Postsize of zero bytes. Till Version 7.0.63 maxPostSize="0" meant an infinite maximum postsize. Setting the maxPostSize="-1" resolved the issue in our case.

Maybe this answer might help someone...

Answer 2

after days of google-ing, painful debugging, creating custom filters, and tomcat configuration, I notice that ALL my forms are not working, and my controllers are all getting NULL values.

I tried another version of Tomcat (I have apache-tomcat-7.0.64 and downloaded apache-tomcat-7.0.47) and it WORKED.

Problem solved. Job saved.