Spring 2 Security on Glassfish 3 Shows Basic Auth after form Auth
We are trying to upgrade our existing Spring 2.5 based application to Glassfish 3.1.2.2.
This application is working fine on Glassfish 2.1 with Spring 2 security. We are using our custom authentication setup for this.
The application deploys fine on the GF3. When we try to login to application our custom form based authentication page is displayed. Once credentials are provided we get the basic auth popup that is using file realm of GF3 server.
We have already tried these options and it did not work
This Stackoverflow Thread With no answer
Upgrade Spring version to Last Best Version 2.5.6.SEC03 - This still shows the same issue
Upgrading to Spring 3 is not an option for us since we are stuck with some third party vendor libraries that have compile time dependency on Spring 2.
We already have support from Oracle and they have turned out to be useless(as always their support is disappointing)
Are you aware of any workarounds for this situation?
Below is the security config code we have in web.xml
Code:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>app</web-resource-name>
<url-pattern>/app/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
Here is the beans.xml content
Code:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http
access-decision-manager-ref="accessDecisionManager" auto-config="false" realm="SPRING"
session-fixation-protection="none"
servlet-api-provision="true"
entry-point-ref="authEntryPoint"
>
<intercept-url pattern="/Login*" filters="none"/>
<intercept-url pattern="/styles.css" filters="none"/>
<intercept-url pattern="/images/**" filters="none"/>
<intercept-url pattern="/**.js" filters="none"/>
<intercept-url pattern="/**.html" access="users"/>
<intercept-url pattern="/**.htmlx" access="users"/>
</http>
<authentication-manager alias="authenticationManager"/>
<!-- Override of default auth processing filter, to allow custom actions on login
that have access to servlet stuff. This allows access to Tapestry-specifics, for
doing things like creating the custom visit ASO. -->
<beans:bean id="customAuthFilter" class="com.mycomp.core.security.TapestryIntegrationFilter">
<custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
<beans:property name="defaultTargetUrl" value="/Home.html"/>
<beans:property name="filterProcessesUrl" value="/j_security_check"/>
<beans:property name="authenticationFailureUrl" value="/Login.html"/>
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<!-- When using a custom auth filter, you need a custom auth entry point, because you
can't configure this using the "form-login" element under the "http" element. -->
<beans:bean id="authEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/Login.html"/>
</beans:bean>
<!-- This, unfortunately, has to be defined to allow us to remove the "ROLE_" prefix from
rolenames, by defining a roleVoter with an empty prefix. To wire in the voter, you
have to define the access decision manager. -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
<beans:property name="rolePrefix" value=""/>
</beans:bean>
<beans:bean id="authenticatedVoter" class="org.springframework.security.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<!-- PIMA-specific authorization provider. It gets plugged into the framework by using the
custom-authentication-provider element. -->
<beans:bean id="pscAuthenticationProvider" class="com.myapp.core.security.CustomAuthenticationProvider">
<beans:property name="customUserDao" ref="customUserDao"/>
<beans:property name="passwordUtility" ref="passwordUtility"/>
<beans:property name="transactionManager" ref="transactionManager"/>
<custom-authentication-provider/>
</beans:bean>
<beans:bean id="passwordUtility" class="com.myapp.core.security.PasswordUtility">
<!-- Comment/uncomment to toggle password encoding off/on -->
<beans:property name="saltSource">
<beans:bean class="org.springframework.security.providers.dao.salt.SystemWideSaltSource">
<beans:property name="systemWideSalt" value="somegoodsalt"/>
</beans:bean>
</beans:property>
<beans:property name="passwordEncoder">
<beans:bean class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/>
</beans:property>
<!-- -->
</beans:bean>
<beans:bean id="securityService" class="com.scea.core.security.SecurityService">
<beans:property name="passwordUtility" ref="passwordUtility"/>
</beans:bean>
</beans:beans>
