404 error after login in loginpage

[tango]

greeting every body.
please let me to explain a Scenario:
when running my application and dont login to my application, and
open two or more tab in my browser and request my loginpage in all of them, everythings
and every tabs work properly.
but when i open a tab and request loginpage and logging in, after login action, when i
request loginpage in another tabs i get 404 error?!
i dont know why?
note that only if my username and password authenticated and i go to homepage,this will be
occur and if my username and password was not correct and not authenticated, i can request
my loginpage in another tab and i dont get 404 error.

[skram]

Can you post your Spring Security configuration here?

If you have a custom login page, can you post the Controller that handles the login page as well? It might be just a configuration or mapping error

[tango]

its my applicationContext-security.xml

Code:

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <http entry-point-ref="authenticationEntryPoint" use-expressions="true">
        <!--suppress SpringModelInspection -->
        <custom-filter position="FORM_LOGIN_FILTER" ref="myLoginFilter"/>
        <intercept-url pattern="/login.jsp" access="isAnonymous()"/>
        <intercept-url pattern="/login/failure.html" access="isAnonymous()"/>
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
    </http>
    <beans:bean id="authenticationEntryPoint"
                class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login.jsp"/>
        <beans:property name="sessionRegistry" ref="sessionRegistry"/>
    </beans:bean>
    <beans:bean id="myLoginFilter"
                class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="sessionAuthenticationStrategy" ref="sas"/>
        <beans:property name="usernameParameter" value="username"/>
        <beans:property name="filterProcessesUrl" value="/test"/>
        <beans:property name="passwordParameter" value="password"/>
        <beans:property name="authenticationManager" ref="mySimpleAuthenticationManager"/>
        <beans:property name="authenticationSuccessHandler" ref="successHandlerBean"/>
        <beans:property name="authenticationFailureHandler" ref="failureHandlerBean"/>
    </beans:bean>
    <authentication-manager alias="mySimpleAuthenticationManager">
        <authentication-provider ref="myProvider"/>
    </authentication-manager>
    <beans:bean id="myProvider" class="authenticate.MyProviderManager">
        <beans:property name="sessionRegistry" ref="sessionRegistry"/>
        <beans:property name="securityContextHolder" ref="securityContextHolder"/>
    </beans:bean>
    <beans:bean id="sas"
                class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry"/>
        <beans:property name="maximumSessions" value="1"/>
        <!--<beans:property name="exceptionIfMaximumExceeded" value="true"/>-->
    </beans:bean>
    <beans:bean id="securityContextHolder" class="org.springframework.security.core.context.SecurityContextHolder"/>
    <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
    <beans:bean id="failureHandlerBean"
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/login/failure.html"/>
    </beans:bean>
    <beans:bean id="successHandlerBean"
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/login/success.html"/>
    </beans:bean>
</beans:beans>

and a snippet of my controller(providerManager) is

Code:

public class MyProviderManager implements AuthenticationProvider {

    @Autowired
    private SessionRegistryImpl sessionRegistry;

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
//my code here
}
    @Override
    public boolean supports(Class<? extends Object> aClass) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(aClass);
    }

    public void setSessionRegistry(SessionRegistryImpl sessionRegistry) {
        this.sessionRegistry = sessionRegistry;
    }

    public SessionRegistryImpl getSessionRegistry() {
        return sessionRegistry;
    }

    public SecurityContextHolder getSecurityContextHolder() {
        return securityContextHolder;
    }

    public void setSecurityContextHolder(SecurityContextHolder securityContextHolder) {
        this.securityContextHolder = securityContextHolder;
    }
}

another question is do you know how to make a request when clicking on the back or forward button of browser?
its very important to me and i dont know to where expose to discussion this question?

[skram]

I have a feeling you have mapped your URLS incorrectly or your ViewResolvers are set up wrong. Below you have a /login.jsp with a JSP extension. And your failure URL has an HTML extension. Why is that?

Code:

<intercept-url pattern="/login.jsp" access="isAnonymous()"/>
<intercept-url pattern="/login/failure.html" access="isAnonymous()"/>

Also you did not post your Controller. The one that handles the /login.jsp and as well the login/failure.html. What you posted is the AuthenticationProvider.

Also, is there a reason why you need to set the sessionRegistry and securityContextHolder here? What's their use if you're not gonna use them? (I don't see it in the code).

Code:

    <beans:bean id="myProvider" class="authenticate.MyProviderManager">
        <beans:property name="sessionRegistry" ref="sessionRegistry"/>
        <beans:property name="securityContextHolder" ref="securityContextHolder"/>
    </beans:bean>

What is your myProvider really doing? Certainly it doesn't look like a Controller. Based on its name it's a Provider. An AuthenticationProvider indicates a class can process a specific Authentication implementation. It's used for authentication but your code doesn't show that's it doing any standard authentication. I suggest you create a sample app that doesn't use any custom provider. You can use the built-in provider. So that we can isolate the problem with your JSP mappings.

Not too sound negative or harsh to you, I think you got mixed up with some of the stuff here Keep it simple first. Then if it works, slowly add features.

[tango]

its my controller

Code:

@Controller
@RequestMapping("/login")
public class MyAddressHndler {

    @RequestMapping("success")
    public ModelAndView successLogin(HttpServletRequest httpServletRequest) {
        return new ModelAndView("home").addObject("usernameName", SecurityContextHolder.getContext().getAuthentication().getName());
    }

    @RequestMapping("failure")
    public String failureLogin() {
        return "accessDeniedPage";
    }
}

and its my servletDispatcher

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">

    <context:component-scan base-package="controller"/>
    <bean id="viewResolver" class="org.springframework.web.servlet.view.UrlBasedViewResolver">
        <property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
        <property name="prefix" value="/WEB-INF/pages/"/>
        <property name="suffix" value=".jsp"/>
    </bean>
</beans>

dear skram wheras i test my URLs that be mentioned under WEB-INF/pages/accessDeniedPage.jsp or WEB-INF/pages/home.jsp in my applicationContext-security.xml like as below:

Code:

<intercept-url pattern="/WEB-INF/pages/accessDeniedPage.jsp" access="isAnonymous()"/>

was wrong and this style that i write in the applicationContext-security.xml is correct, i think its not make any problem.because i can be login according to decition in MyProviderManager now.
only problem is here when i loggined in to system and authenticating in MyProviderManager if open another tab and send a request to server for login page its failed and i get 404 error. but until i dont login i can get my login page in any number tab of browser

i use than sessionRegistry and securityContextHolder in MyProviderManager in //my coed is here

Code:

public Authentication authenticate(Authentication authentication) throws AuthenticationException {
//my coed is here
}

method.


do you know how to cause that when clicking on back or forward button in my browser it make a request from client to server?
for example when i logined to system and press back button of browser to loginPage authenticationEntryPoint be called.
so thanks.

[skram]

do you know how to cause that when clicking on back or forward button in my browser it make a request from client to server?
for example when i logined to system and press back button of browser to loginPage authenticationEntryPoint be called.
so thanks.

When you click the Back and Forward buttons in the browser, it loads the cached website even when you're offline.

I believe you can set the HTTP Response Header so that it won't cache your website. Check this reference Caching Tutorial at http://www.mnot.net/cache_docs/

[skram]

Can you post your login.jsp code here?

You specified in your XML config the following parameters:

Code:

<beans:property name="usernameParameter" value="username"/>
        <beans:property name="filterProcessesUrl" value="/test"/>
        <beans:property name="passwordParameter" value="password"/>

In your JSP page, did you update it to match these parameters?

Defaults are:
j_username
j_password
/j_spring_security_check

Also post the DEBUG log from your application. It's gonna show there what your Spring Security is doing when you try to log-in

[tango]

its my login.jsp file content.
yes i change the defaults name of field and path that i changed in applicationContext-security.xml file within my myLoginFilter.

Code:

<html>
<head>
    <title>Spring Security Test</title>
</head>
<body>
<form action="/test" method="post">
    <label for="username">Username</label>
    <input type="text" name="username" id="username">
    <br/>
    <label for="password">Password</label>
    <input type="password" name="password" id="password"/>
    <br/>                                                               
    <input type="submit" value="Login"/>
</form>
</body>
</html>

also snippet of log file is :

Code:

4953 [http-8080-1] DEBUG org.springframework.security.web.FilterChainProxy$VirtualFilterChain - / at position 2 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
4953 [http-8080-1] DEBUG org.springframework.security.web.FilterChainProxy$VirtualFilterChain - / at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
4953 [http-8080-1] DEBUG org.springframework.security.web.FilterChainProxy$VirtualFilterChain - / at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
4953 [http-8080-1] DEBUG org.springframework.security.web.FilterChainProxy$VirtualFilterChain - / at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
4953 [http-8080-1] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
4953 [http-8080-1] DEBUG org.springframework.security.web.FilterChainProxy$VirtualFilterChain - / at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
4953 [http-8080-1] DEBUG org.springframework.security.web.FilterChainProxy$VirtualFilterChain - / at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
4953 [http-8080-1] DEBUG org.springframework.security.web.FilterChainProxy$VirtualFilterChain - / at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
4953 [http-8080-1] DEBUG org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource - Converted URL to lowercase, from: '/'; to: '/'
4953 [http-8080-1] DEBUG org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource - Candidate is: '/'; pattern is /login.jsp; matched=false
4953 [http-8080-1] DEBUG org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource - Candidate is: '/'; pattern is /login/failure.html; matched=false
4953 [http-8080-1] DEBUG org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource - Candidate is: '/'; pattern is /**; matched=true
4953 [http-8080-1] DEBUG org.springframework.security.access.intercept.AbstractSecurityInterceptor - Secure object: FilterInvocation: URL: /; Attributes: [hasRole('ROLE_USER')]
4953 [http-8080-1] DEBUG org.springframework.security.access.intercept.AbstractSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
5110 [http-8080-1] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@c82493, returned: -1
5125 [http-8080-1] DEBUG org.springframework.beans.factory.support.AbstractBeanFactory - Returning cached instance of singleton bean 'sessionRegistry'
5141 [http-8080-1] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71) ~[spring-security-core-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203) ~[spring-security-core-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106) ~[spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) ~[spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97) ~[spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) [spring-web-3.0.3.RELEASE.jar:3.0.3.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) [spring-web-3.0.3.RELEASE.jar:3.0.3.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:na]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:na]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:na]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) [catalina.jar:na]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) [catalina.jar:na]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:na]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:na]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) [catalina.jar:na]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) [tomcat-coyote.jar:na]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) [tomcat-coyote.jar:na]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) [tomcat-coyote.jar:na]
	at java.lang.Thread.run(Thread.java:619) [na:1.6.0_05]
5188 [http-8080-1] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/]
5188 [http-8080-1] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point.
5188 [http-8080-1] DEBUG org.springframework.security.web.DefaultRedirectStrategy - Redirecting to 'http://localhost:8080/login.jsp;jsessionid=5D8F51A8CE84998BD7B29A3BD0D59CDA'

that repeated for 4 times

[skram]

Code:

5141 [http-8080-1] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied

This is an indication that the user doesn't have the authorization to access the page. Since you have implemented your own Authentication provider, it's possible that you've setup your implementation incorrectly.

The required ROLE based on the logs is hasRole('ROLE_USER') but your implementation is just throwing out ROLE_ANONYMOUS

Is it possible for you to set-aside your own implementation and rely with the standard authentication mechanism? Why do you need to create your own authentication implementation? Any special requirements besides matching the username and password with the database?

I can't really tell how you authenticate your users for the following:

Code:

@Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
//my code here
}

Also how are you translating your ROLES from your custom provider? For example in my database, I have stored the roles as numbers: 1 for admin and 2 for user.

But Spring Security doesn't understand that so I have to convert that to the correct GrantedAuthority type:

Code:

/**
	 * Retrieves the correct ROLE type depending on the access level, where access level is an Integer.
	 * Basically, this interprets the access value whether it's for a regular user or admin.
	 * 
	 * @param access an integer value representing the access of the user
	 * @return collection of granted authorities
	 */
	 public Collection<GrantedAuthority> getAuthorities(Integer access) {
			// Create a list of grants for this user
			List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);
			
			// All users are granted with ROLE_USER access
			// Therefore this user gets a ROLE_USER by default
			logger.debug("Grant ROLE_USER to this user");
			authList.add(new GrantedAuthorityImpl("ROLE_USER"));
			
			// Check if this user has admin access 
			// We interpret Integer(1) as an admin user
			if ( access.compareTo(1) == 0) {
				// User has admin access
				logger.debug("Grant ROLE_ADMIN to this user");
				authList.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
			}

			// Return list of granted authorities
			return authList;
	  }