Spring Security login returns 404

Question

I am currently working on my blog in Spring framework. I am implementing the Spring Security for login purpose. Everything works as expected until I submit the login credentials which is always returning 404 code.

Here is my web.xml cod e

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
    http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<display-name>avispring</display-name>          

<error-page>
    <error-code>404</error-code>
    <location>/404.html</location>
</error-page>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/spring-database.xml</param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/admin/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>spring</servlet-name>
    <servlet-class>
        org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>        
</servlet>
<servlet-mapping>
    <servlet-name>spring</servlet-name>
    <url-pattern>/</url-pattern>        
</servlet-mapping>

Here is my spring security code:

<bean id="dataSource"
    class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <property name="driverClassName" value="com.mysql.jdbc.Driver"/>
    <property name="url" value="jdbc:mysql://localhost:3306/avispring"/>
    <property name="username" value="root"/>
    <property name="password" value=""/>
</bean>
<security:debug/>
<security:http auto-config="true">
    <security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
    <security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>
    <security:form-login        
    login-page="/login.html"
    authentication-failure-url="/login?login_error=1"
    default-target-url="/admin/home.html"/>     
</security:http>

<security:authentication-manager>
    <security:authentication-provider>
        <security:jdbc-user-service 
            data-source-ref="dataSource"
            users-by-username-query="select USERNAME,PASSWORD,ENABLED from USER_AUTHENTICATION where USERNAME=?"
            authorities-by-username-query="select u1.USERNAME,u2.ROLE from USER_AUTHENTICATION u1,USER_AUTHORIZATION u2 where u1.USER_ID=u2.USER_ID and u1.USERNAME=?"/>
    </security:authentication-provider>
</security:authentication-manager>

part of my login.jsp code is

<form action="<c:url value="/login"/>" method="post">
      <div class="form-group has-feedback">
        <input type="email" class="form-control" placeholder="Email" name="username">
        <span class="glyphicon glyphicon-envelope form-control-feedback"></span>
      </div>
      <div class="form-group has-feedback">
        <input type="password" class="form-control" placeholder="Password" name="password">
        <span class="glyphicon glyphicon-lock form-control-feedback"></span>
      </div>
      <div class="row">
        <div class="col-xs-8">
          <div class="checkbox icheck">
            <label>
              <input type="checkbox"> Remember Me
            </label>
          </div>
        </div><!-- /.col -->
        <div class="col-xs-4">
          <button type="submit" class="btn btn-primary btn-block btn-flat"     name="submit">Sign In</button>
        </div><!-- /.col -->
      </div>
    </form>

and the console output is

Oct 16, 2015 1:06:03 AM org.springframework.web.servlet.DispatcherServlet noHandlerFound WARNING: No mapping found for HTTP request with URI [/avispring/login] in DispatcherServlet with name 'spring'

Note:

1. I am using spring 4.2.1 and spring security 4.0.2
2. Most of the forums are pointing to the context path ie [appname/login] or [appname/j_spring_security_check] and I think mine is ok regarding it

Please help...

UPDATE:

when I used log4j, the debug output at the time of form submission is as follows:

DEBUG: org.springframework.web.servlet.DispatcherServlet - Bound request context to thread: org.apache.catalina.connector.RequestFacade@c8b445 DEBUG: org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'spring' processing POST request for [/avispring/login] DEBUG: org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping@16fffcf] in DispatcherServlet with name 'spring' DEBUG: org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Looking up handler method for path /login DEBUG: org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Did not find handler method for [/login] DEBUG: org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping@138f01b] in DispatcherServlet with name 'spring' DEBUG: org.springframework.web.servlet.h andler.BeanNameUrlHandlerMapping - No handler mapping found for [/login] DEBUG: org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping@1ff154c] in DispatcherServlet with name 'spring' DEBUG: org.springframework.web.servlet.handler.SimpleUrlHandlerMapping - No handler mapping found for [/login] WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/avispring/login] in DispatcherServlet with name 'spring' DEBUG: org.springframework.web.servlet.DispatcherServlet - Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@c8b445 DEBUG: org.springframework.web.servlet.DispatcherServlet - Successfully completed request DEBUG: org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in WebApplicationContext for namespace 'spring-servlet': ServletRequestHandledEvent: url=[/avispring/login]; client=[0:0:0:0:0:0:0:1]; method=[POST]; servlet=[spring]; session=[BC0FB7E62DC0AFABD8EF72B8BF1CED54]; user=[null]; time=[3ms]; status=[OK] DEBUG: org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in Root WebApplicationContext: ServletRequestHandledEvent: url=[/avispring/login]; client=[0:0:0:0:0:0:0:1]; method=[POST]; servlet=[spring]; session=[BC0FB7E62DC0AFABD8EF72B8BF1CED54]; user=[null]; time=[3ms]; status=[OK] DEBUG: org.springframework.web.servlet.DispatcherServlet - Bound request context to thread: org.apache.catalina.core.ApplicationHttpRequest@bb82df DEBUG: org.springframework.web.servlet.DispatcherServlet - DispatcherServlet with name 'spring' processing POST request for [/avispring/404.html] DEBUG: org.springframework.web.servlet.DispatcherServlet - Testing handler map [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping@16fffcf] in DispatcherServlet with name 'spring' DEBUG: org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Looking up handler method for path /404.html DEBUG: org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Found 1 matching mapping(s) for [/404.html] : [{[/404.html]}] DEBUG: org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping - Returning handler method [public org.springframework.web.servlet.ModelAndView com.avispring.controll ers.HelloController.errorPage()] DEBUG: org.springframework.web.servlet.DispatcherServlet - Testing handler adapter [org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter@511db5] DEBUG: org.springframework.web.servlet.DispatcherServlet - Testing handler adapter [org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter@1a86ee] DEBUG: org.springframework.web.servlet.DispatcherServlet - Testing handler adapter [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter@c26a5f] DEBUG: org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Invoking [HelloController.errorPage] method with arguments [] DEBUG: org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod - Method [errorPage] returned [ModelAndView: reference to view with name '/404'; model is null] DEBUG: org.springframework.web.servlet.DispatcherServlet - Rendering view [org.springframework.web.servlet.view.JstlView: name '/404'; URL [/WEB-INF/jsp//404.jsp]] in DispatcherServlet with name 'spring' DEBUG: org.springframework.web.servlet.view.JstlView - Rendering view with name '/404' with model {} and static attributes {} DEBUG: org.springframework.web.servlet.view.JstlView - Forwarding to resource [/WEB-INF/jsp//404.jsp] in InternalResourceView '/404' DEBUG: org.springframework.web.servlet.DispatcherServlet - Cleared thread-bound request context: org.apache.catalina.core.ApplicationHttpRequest@bb82df DEBUG: org.springframework.web.servlet.DispatcherServlet - Successfully completed request DEBUG: org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in WebApplicationContext for namespace 'spring-servlet': ServletRequestHandledEvent: url=[/avispring/404.html]; client=[0:0:0:0:0:0:0:1]; method=[POST]; servlet=[spring]; session=[BC0FB7E62DC0AFABD8EF72B8BF1CED54]; user=[null]; time=[1ms]; status=[OK] DEBUG: org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in Root WebApplicationContext: ServletRequestHandledEvent: url=[/avispring/404.html]; client=[0:0:0:0:0:0:0:1]; method=[POST]; servlet=[spring]; session=[BC0FB7E62DC0AFABD8EF72B8BF1CED54]; user=[null]; time=[1ms]; status=[OK]

Answer 1

Ok that was so frustrating and I have found my answer by hit and trial. To all others who are facing my problem I am posting my solution. I had to change only one line in my web.xml file. I had to replace this code

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/admin/*</url-pattern>
</filter-mapping>

with this code

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

and I don't even need this line in spring-security.xml file

<security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>

Hope that might help somebody. Happy coding...

Answer 2

Did you try setting the login-processing-url attribute of your <security:form-login> element? I use the same up-to-date versions of Spring and Spring Security as you and I added the login-processing-url attribute as follows:

login-processing-url="/j_spring_security_check"

Everything works properly, and I don't even need the following element:

<security:intercept-url pattern="/j_spring_security_check" access="permitAll"/>

Of course, if you wish to use /login instead of /j_spring_security_check , you are free to do so. Just make sure the URIs you put in your JSP and in your Spring Security configuration file match.

Hope this will help...

Jeff

------------ UPDATE ------------

I think about it... Spring Security introduced Cross-Site Request Forgery (CSRF) protection in version 4. When I updated my code, in order to avoid adding CSRF management in all my protected JSPs (not necessary for my business needs), I had to add the following element in my <security:http> element:

<security:csrf disabled="true"/>

Please give it a try and tell me whether it worked.