Cookie problem when using spring security 2.0.1

[Killua]

Hi all,

i want to auto login by cookie, and i got my config like this:

Code:

<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
	<property name="filterInvocationDefinitionSource">
		<value>
			CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			PATTERN_TYPE_APACHE_ANT
			/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,rememberMeProcessingFilter,filterInvocationInterceptor
		</value>
	</property>
</bean>


<bean id="rememberMeProcessingFilter" class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
	<property name="rememberMeServices" ref="rememberMeServices"/>
	<property name="authenticationManager" ref="authenticationManager"/>
</bean>


<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
	<property name="tokenValiditySeconds" value="2678400"/>
	<property name="key" value="myproj"/>
	<property name="userDetailsService" ref="jdbcDaoImpl" />
</bean>


<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
	<property name="providers">
		<list>
			<ref local="daoAuthenticationProvider"/>
				<bean class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
			<property name="key" value="myproj"/>
			</bean>
		</list>
	</property>
	<property name="sessionController">
		<ref bean="concurrentSessionController"/>
	</property>
</bean>


<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
	<property name="userDetailsService" ref="jdbcDaoImpl"/>
	<property name="userCache" ref="userCache"/>
	<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>


<bean id="authenticationProcessingFilter" class="filter.UserAuthenticationProcessingFilter">	<property name="authenticationManager" ref="authenticationManager"/>
	<property name="userService" ref="userService"/>
	
	<property name="authenticationFailureUrl">
		<value>/login.jsp</value>
	</property>
	
	<property name="defaultTargetUrl">
		<value>/pages/intoIndex.action</value>
	</property>
	
	<property name="filterProcessesUrl">
		<value>/j_spring_security_check</value>
	</property>
	
	<property name="exceptionMappings">
		<value>
			org.springframework.security.userdetails.UsernameNotFoundException=/login.jsp?login_error=user_not_found_error
			org.springframework.security.BadCredentialsException=/login.jsp?login_error=user_psw_error
			org.springframework.security.concurrent.ConcurrentLoginException=/login.jsp?login_error=too_many_user_error
		</value>
	</property>

	<property name="rememberMeServices" ref="rememberMeServices"/>
</bean>

when i try to login by cookie i got these messages:

Code:

DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 6 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1300; ]'
DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie detected
DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie accepted
DEBUG org.springframework.security.providers.ProviderManager - Authentication attempt using org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider
DEBUG org.springframework.security.concurrent.SessionRegistryImpl - Registering session 9D8670EE917A99EF23C679216B358AEB, for principal myname

it seemed that cookie is accepted, but it didn't login into the app but return to the login page.

i am puzzled, and i think that there is something wrong with the config, anyone can give me some tips?

thanks to all.

[Rob Winch]

Try switching the order of exceptionTranslationFilter and rememberMeProcessingFilter. Can you enable all logging for Spring Security and post all the logs (i.e. RememberMeProcessingFilter).

FYI: You may want to update to 2.0.6.RELEASE to avoid the security vulnerability.

[Killua]

i changed the order of exceptionTranslationFilter and rememberMeProcessingFilter, then i got the debug below:

Code:

DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 1 of 7 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 2 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=400; ]'
DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 3 of 7 in additional filter chain; firing Filter: 'com.broadtext.eim.security.filter.UserAuthenticationProcessingFilter[ order=800; ]'
DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 4 of 7 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1200; ]'
DEBUG org.springframework.security.wrapper.SavedRequestAwareWrapper - Wrapper not replaced; SavedRequest was: null
DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 5 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1300; ]'
DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie detected
DEBUG org.springframework.security.ui.rememberme.TokenBasedRememberMeServices - Remember-me cookie accepted
DEBUG org.springframework.security.providers.ProviderManager - Authentication attempt using org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider
WARN  org.springframework.security.event.authentication.LoggerListener - Authentication event AuthenticationSuccessEvent: myname; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 7F9D626137539284836542B85B018FB9
DEBUG org.springframework.security.providers.ProviderManager - Authentication attempt using org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider
DEBUG org.springframework.security.concurrent.SessionRegistryImpl - Registering session 7F9D626137539284836542B85B018FB9, for principal myname
DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@19c5048]: org.springframework.security.event.authentication.AuthenticationSuccessEvent[source=org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@6d13c6b3: Principal: org.springframework.security.userdetails.User@0: Username: myname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ...
WARN  org.springframework.security.event.authentication.LoggerListener - Authentication event AuthenticationSuccessEvent: myname; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 7F9D626137539284836542B85B018FB9
DEBUG org.springframework.security.ui.rememberme.RememberMeProcessingFilter - SecurityContextHolder populated with remember-me token: 'org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@6d13c6b3: Principal: org.springframework.security.userdetails.User@0: Username: myname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ...
DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@19c5048]: org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent[source=org.springframework.security.providers.rememberme.RememberMeAuthenticationToken@6d13c6b3: Principal: org.springframework.security.userdetails.User@0: Username: myname; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ...
WARN  org.springframework.security.event.authentication.LoggerListener - Authentication event InteractiveAuthenticationSuccessEvent: myname; details: org.springframework.security.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1; SessionId: 7F9D626137539284836542B85B018FB9
DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 6 of 7 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1500; ]'
DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp at position 7 of 7 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@a9fa9c'
DEBUG org.springframework.security.intercept.AbstractSecurityInterceptor - Public object - authentication not attempted
DEBUG org.springframework.web.context.support.XmlWebApplicationContext - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@19c5048]: org.springframework.security.event.authorization.PublicInvocationEvent[source=FilterInvocation: URL: //login.jsp]
DEBUG org.springframework.security.util.FilterChainProxy - //login.jsp reached end of additional filter chain; proceeding with original chain
DEBUG org.springframework.security.ui.ExceptionTranslationFilter - Chain processed normally

it was found that 'authentication not attempted' in 'org.springframework.security.intercept.AbstractSe curityInterceptor - Public object - authentication not attempted'.

now i try to setp into it to find out the problem. may be i should update to 2.0.6~

thanks a lot.

[Rob Winch]

Can you try accessing a protected page?

[Killua]

Can you try accessing a protected page?

What is the protected page you mean?
//login.jsp ?

[Rob Winch]

I mean a page that required you to be logged in.

[Killua]

I mean a page that required you to be logged in.

So sorry, i think i should reply it more earlier, but other things make me can't continue that time.

i tried but when accessing the page, i was kicked out to the login page.

now i updated to 2.0.6 and got the problem resolved, thanks a lot.