CODEWITHSUNDEEP
javaspringspring-security
user911651
user911651

Reputation:

j_spring_security_check 404 issue

I am trying to get my spring + hibernate + spring-security and tiles2 - "HelloWorld" application to work, following this guide (its in german unfortunately).

My problem is that I get a "404" error message when logging into my application. Redirection to the login page works as intended, but I can't reach "http://localhost:8080/App/j_spring_security_check" when I hit the login button.

My web.xml looks this way:

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/defs/applicationContext.xml
        /WEB-INF/defs/applicationContext-security.xml
    </param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name> 
  <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

and applicationContext-security.xml file looks this way ...

<http use-expressions="true">
    <intercept-url pattern="/index.html" access="permitAll" />
    <intercept-url pattern="/timeout.html" access="permitAll" />
    <intercept-url pattern="/redirect.html" access="permitAll" />
    <intercept-url pattern="/media/**" access="permitAll" />
    <intercept-url pattern="/includes/**" access="permitAll" />
    <intercept-url pattern="/office/**" access="hasRole('ROLE_USER')" />
    <intercept-url pattern="/office/admin/**" access="hasRole('ROLE_ADMIN')" />

    <form-login login-page="/index.html" 
            authentication-failure-url="/index.html?login_error=1"
            default-target-url='/office/kunden.html'
            always-use-default-target='true'
            />
    <logout logout-success-url="/index.html" />
    <remember-me />
    <session-management invalid-session-url="/index.html">
        <concurrency-control max-sessions="2" error-if-maximum-exceeded="true" />
    </session-management>
</http>

<authentication-manager>
    <authentication-provider>
        <jdbc-user-service data-source-ref="mysqldataSource" 
                    authorities-by-username-query="select username, authority from benutzer where username = ?"
                    users-by-username-query="select username, password, enabled from benutzer where username = ?"/>
    </authentication-provider>
</authentication-manager>

The database connection seems to be O.K.

I would be very glad if someone could give me a hint on that, because I already did a lot of googling, but didn't find a solution yet.

I use spring 3.1 and tomcat 7.0.23

Upvotes: 5

Views: 24723

Answers (3)

dvtoever
dvtoever

Reputation: 3996

For those people who face the same symptoms, but for a different situation, those who are behind a load balancer which does SSL offloading, the following answer might put you in the right direction. I had a similar problem and it turned out that the incoming request was handled correct, however as a response spring security sends a redirect to an absolute URL which is defined by the default-target-url attribute (starting with http instead of https)

<security:form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true" />

Now the client browser tries to open the redirected location on http, fails on the loadbalancer (which only accepts https traffic) and reports a 404 NOT FOUND

We solved this problem by adding the following mod_header directive for all incoming requests on port 443 (https) in the load balancer:

RequestHeader set X-Forwarded-Proto "https"

The will add an extra header. If you run an application server like Jetty, it will recognize this header and translate the incoming request. (see http://www.gossamer-threads.com/lists/apache/users/407272)

Upvotes: 0

ŁukaszBachman
ŁukaszBachman

Reputation: 33735

I would check two things:

  1. Request dispatch
  2. Spring-security config

To check request dispatch just make sure that your application is accessible in the servlet container in the first place. Meaning, you have mentioned http://localhost:8080/App/j_spring_security_check. Is your application accessible under that URL? Does http://localhost:8080/App show proper content (HTTP 200)? Also make sure that dispatcher servlet is configured properly. In tutorial you have provided, there is this section:

  <!--  Spring Hauptteil -->

  <servlet>
      <servlet-name>spring</servlet-name>
      <servlet-class>
          org.springframework.web.servlet.DispatcherServlet
      </servlet-class>
      <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
      <servlet-name>spring</servlet-name>
      <url-pattern>*.html</url-pattern>
  </servlet-mapping>

If you have not provided it in your web.xml, then your request might not even be dispatched properly before it ends up being examined via spring-security.

If this doesn't help you, try this.

Following documentation, the minimal configuration should be enough to check if your setup is correct. If you have followed tutorial, you might make some minor mistake (typeo, for instance) that will cause spring-security not to launch properly. Then it is easy to skip some error info in logger output. I suggest you do the following.

  1. Change your applicationContext-security.xml to support minimal configuration provided in documentation.
  2. Launch the application and go to http://localhost:8080/App/j_spring_security_check

If you get proper response - try modifying config until you are done.

Point to learn What DelegatingFilterProxy (defined in web.xml) really does is delegating request to some other filter managed by Spring's IoC. This filter is being defined in applicationContext-security via security namespace. If this won't work for some reason, the filter will not be initialized, and you may end up in seeing http 404 regardless the fact, that the rest of application starts properly.

Uffff, lots of text ;)

Upvotes: 2

Ralph
Ralph

Reputation: 120781

Your configuration looks ok. One thing that can case the 404 is if the default-target-url='/office/kunden.html' points to an controller or view that does not exist.

Check that the url /office/kunden.html works -- therefore deactivate the security stuff (just add <security:intercept-url pattern="/**" access="permitAll" />) and try it.

An other thing that may goes wrong, is that the tutorial is for spring 3.0 but not spring 3.0. I would not expect that this is the cause, but give it a try and downgrade.

Upvotes: 0

Related Questions