Cookie problem when using spring security 2.0.1

Hi all,

i want to auto login by cookie, and i got my config like this:

Code:

<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,rememberMeProcessingFilter,filterInvocationInterceptor </value> </property> </bean> <bean id="rememberMeProcessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter"> <property name="rememberMeServices" ref="rememberMeServices"/> <property name="authenticationManager" ref="authenticationManager"/> </bean> <bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices"> <property name="tokenValiditySeconds" value="2678400"/> <property name="key" value="myproj"/> <property name="userDetailsService" ref="jdbcDaoImpl" /> </bean> <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <ref local="daoAuthenticationProvider"/> <bean class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider"> <property name="key" value="myproj"/> </bean> </list> </property> <property name="sessionController"> <ref bean="concurrentSessionController"/> </property> </bean> <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="jdbcDaoImpl"/> <property name="userCache" ref="userCache"/> <property name="passwordEncoder" ref="passwordEncoder"/> </bean> <bean id="authenticationProcessingFilter" class="filter.UserAuthenticationProcessingFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="userService" ref="userService"/> <property name="authenticationFailureUrl"> <value>/login.jsp</value> </property> <property name="defaultTargetUrl"> <value>/pages/intoIndex.action</value> </property> <property name="filterProcessesUrl"> <value>/j_spring_security_check</value> </property> <property name="exceptionMappings"> <value> org.springframework.security.userdetails.UsernameNotFoundException=/login.jsp?login_error=user_not_found_error org.springframework.security.BadCredentialsException=/login.jsp?login_error=user_psw_error org.springframework.security.concurrent.ConcurrentLoginException=/login.jsp?login_error=too_many_user_error </value> </property> <property name="rememberMeServices" ref="rememberMeServices"/> </bean>

when i try to login by cookie i got these messages:

Code:

DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 6 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1300; ]' DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie detected DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie accepted DEBUG org.springframework.security.providers.ProviderManager - Authentication attempt using org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider DEBUG org.springframework.security.concurrent.SessionRegistryImpl - Registering session 9D8670EE917A99EF23C679216B358AEB, for principal myname

it seemed that cookie is accepted, but it didn't login into the app but return to the login page.

i am puzzled, and i think that there is something wrong with the config, anyone can give me some tips?

thanks to all.

Try switching the order of exceptionTranslationFilter and rememberMeProcessingFilter. Can you enable all logging for Spring Security and post all the logs (i.e. RememberMeProcessingFilter).

FYI: You may want to update to 2.0.6.RELEASE to avoid the security vulnerability.

i changed the order of exceptionTranslationFilter and rememberMeProcessingFilter, then i got the debug below:

Code:

DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 1 of 7 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]' DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 2 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=400; ]' DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 3 of 7 in additional filter chain; firing Filter: 'com.broadtext.eim.security.filter.UserAuthenticationProcessingFilter[ order=800; ]' DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 4 of 7 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1200; ]' DEBUG org.springframework.security.wrapper.SavedRequestAwareWrapper - Wrapper not replaced; SavedRequest was: null DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 5 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1300; ]' DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie detected DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie accepted DEBUG org.springframework.security.providers.ProviderManager - Authentication attempt using org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider WARN org.springframework.security.event.authentication.LoggerListener - Authentication event AuthenticationSuccessEvent: myname; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 7F9D626137539284836542B85B018FB9 DEBUG org.springframework.security.providers.ProviderManager - Authentication attempt using org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider DEBUG org.springframework.security.concurrent.SessionRegistryImpl - Registering session 7F9D626137539284836542B85B018FB9, for principal myname DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@19c5048]: org.springframework.security.event.authentication.AuthenticationSuccessEvent[source=org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@6d13c6b3: Principal: org.springframework.security.userdetails.User@0: Username: myname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ... WARN org.springframework.security.event.authentication.LoggerListener - Authentication event AuthenticationSuccessEvent: myname; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 7F9D626137539284836542B85B018FB9 DEBUG org.springframework.security.ui.rememberme.RememberMeProcessingFilter - SecurityContextHolder populated with remember-me token: 'org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@6d13c6b3: Principal: org.springframework.security.userdetails.User@0: Username: myname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ... DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@19c5048]: org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent[source=org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@6d13c6b3: Principal: org.springframework.security.userdetails.User@0: Username: myname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ... WARN org.springframework.security.event.authentication.LoggerListener - Authentication event InteractiveAuthenticationSuccessEvent: myname; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 7F9D626137539284836542B85B018FB9 DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 6 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1500; ]' DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 7 of 7 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@a9fa9c' DEBUG org.springframework.security.intercept.AbstractSecurityInterceptor - Public object - authentication not attempted DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@19c5048]: org.springframework.security.event.authorization.PublicInvocationEvent[source=FilterInvocation: URL: //login.jsp] DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp reached end of additional filter chain; proceeding with original chain DEBUG org.springframework.security.ui.ExceptionTranslationFilter - Chain processed normally

it was found that 'authentication not attempted' in 'org.springframework.security.intercept.AbstractSe curityInterceptor - Public object - authentication not attempted'.

now i try to setp into it to find out the problem. may be i should update to 2.0.6~

thanks a lot.

Can you try accessing a protected page?

Quote:

Originally Posted by rwinch

Can you try accessing a protected page?

What is the protected page you mean?
//login.jsp ?

I mean a page that required you to be logged in.

Quote:

Originally Posted by rwinch

I mean a page that required you to be logged in.

So sorry, i think i should reply it more earlier, but other things make me can't continue that time.

i tried but when accessing the page, i was kicked out to the login page.

now i updated to 2.0.6 and got the problem resolved, thanks a lot.