pals. I'm using Spring-web, -mvc etc. version 4.1.x and spring-secure version 4.0.0 and I have strange issue.
I have LoginController.java with @RequestMapping("/login") returning "login", mapping to login.jsp. Also I have security-config.xml file with next settings
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="John" authorities="admin"
password="letmein" />
<security:user name="Zog" authorities="admin"
password="iamzog" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:csrf disabled="true"></security:csrf>
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:form-login login-page="/login"
login-processing-url="/login"
username-parameter="username"
password-parameter="password"
default-target-url="/"
authentication-failure-url="/login?error=true"/>
</security:http>
When I try to open /login spring shows default login form and my LoginController's method isn't execute. But when I enter wrong data in this login form, spring redirects me to /login?error=true and LoginController catches this and redirect to my login.jsp. So, spring catches /login before my controller, but pass /login?error=true to controller and my custom login form isn't working correctly.
My web.xml file looks like this
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<description>MySQL Test App</description>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring-security-config.xml
classpath:dao-context.xml
classpath:service-context.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>offers</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>offers</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<resource-ref>
<description>DB Connection</description>
<res-ref-name>jdbc/spring</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
People from site with spring course asks same question, but the only answer were 'use spring-security 3.x.x'. I don't want to use 3x security, but want to understand where the magic of spring is broken. Thank you for advance.
This is a bug in Spring Security 4 and is logged as SEC-2919 . It will be fixed in Spring Security 4.0.1 which is due out next week.
Workarounds
Below are a few workarounds. You can remove the workaround once 4.0.1 is released (expected in about a week).
Use a Different URL
The easiest workaround is to use a URL other than "/login". For example, you can use "/authenticate".
<http ...>
<form-login login-page="/authenticate" ... />
</http>
Use a BeanPostProcessor
Alternatively, the following BeanDefinitionRegistryPostProcessor
will fix the issue by removing the DefaultLoginPageGeneratingFilter
. To use it simply ensure to register the BeanDefinitionRegistryPostProcessor
as a Bean.
For example create a class that looks like the following:
package sample;
import java.util.Iterator;
import java.util.List;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.beans.factory.support.BeanDefinitionRegistry;
import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
public class Sec2919PostProcessor implements BeanDefinitionRegistryPostProcessor {
@Override
public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry)
throws BeansException {
String[] beanDefinitionNames = registry.getBeanDefinitionNames();
for(String name : beanDefinitionNames) {
BeanDefinition beanDefinition = registry.getBeanDefinition(name);
if(beanDefinition.getBeanClassName().equals(DefaultSecurityFilterChain.class.getName())) {
List<Object> filters = (List<Object>) beanDefinition.getConstructorArgumentValues().getArgumentValue(1, List.class).getValue();
Iterator<Object> iFilters = filters.iterator();
while(iFilters.hasNext()) {
Object f = iFilters.next();
if(f instanceof BeanDefinition) {
BeanDefinition bean = (BeanDefinition) f;
if(bean.getBeanClassName().equals(DefaultLoginPageGeneratingFilter.class.getName())) {
iFilters.remove();
}
}
}
}
}
}
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory)
throws BeansException {
}
}
Then add the bean definition:
<bean class="sample.Sec2919PostProcessor"/>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.