Custom EntryPoint only being invoked 1st time I reference my login page

[MartyJones]

I have a custom entry point that I use to load a custom login page based upon request parameters. I noticed that the first time I invoke the login url then the entry point gets invoked and the correct login url is generated. If I update the url with additional request parameters and invoke a request then the entry point does not get invoked again because it states that it was previously authenticated with a AnonymousAuthenticationToken.

For example,

The first request is http://localhost/is/control/login - The entry point fires as expected.
The second request is http://localhost/is/control/login?lp=FNB - The entry point does not fire.



Here is my security configuration file:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- Main Security Configuration -->
    <http auto-config="false" use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint">
        <form-login 
           login-processing-url="/j_spring_security_check"
           authentication-failure-handler-ref="postFailureAuthHandler" 
           authentication-success-handler-ref="postSuccessAuthHandler"
        />
        
        <logout logout-url="/control/logout"/>        
    
        <!-- turn off session fixation protection for now -->
        <session-management session-fixation-protection="none"/>
        
        <!-- define which urls we want to secure -->
        <intercept-url pattern="/css/**" filters="none" />
        <intercept-url pattern="/images/**" filters="none" />
        <intercept-url pattern="/javascript/**" filters="none" />
        <intercept-url pattern="/control/login*" access="permitAll" />
        <intercept-url pattern="/control/**" access="isAuthenticated()" />
    </http>

    <!-- setup entry point to determine which login page to display based upon LoginProfiles -->
    <beans:bean id="authenticationProcessingFilterEntryPoint" class="com.foo.web.security.FooLoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/control/login"/>    
    </beans:bean>

    <!-- setup handler for post processing successful authentication -->
    <beans:bean id="postSuccessAuthHandler" class="com.foo.web.security.PostSuccessAuthenticationHandler">
        <beans:property name="defaultTargetUrl" value="/control/home"></beans:property>
    </beans:bean>
        
    <!-- setup handler for post processing failure authentication -->        
    <beans:bean id="postFailureAuthHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/control/login?login_error=t"></beans:property>
    </beans:bean>

     
    <beans:bean id="testAuthenticationProvider" class="com.foo.web.security.TestAuthenticationProvider"/>

    <!-- Configure Authentication mechanism -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="testAuthenticationProvider" />
    </authentication-manager>

    <global-method-security pre-post-annotations="enabled" />

</beans:beans>

Here is a dump of the log showing that it skips the entry point:

Code:

6125 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -Converted URL to lowercase, from: '/control/login'; to: '/control/login'
6125 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -Candidate is: '/control/login'; pattern is /css/**; matched=false
6125 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -Converted URL to lowercase, from: '/control/login'; to: '/control/login'
6125 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -Candidate is: '/control/login'; pattern is /images/**; matched=false
6125 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -Converted URL to lowercase, from: '/control/login'; to: '/control/login'
6125 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -Candidate is: '/control/login'; pattern is /javascript/**; matched=false
6125 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -Converted URL to lowercase, from: '/control/login'; to: '/control/login'
6125 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -Candidate is: '/control/login'; pattern is /**; matched=true
6125 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -/control/login?lp=FNB at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
6125 [http-8080-2] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository  -No HttpSession currently exists
6125 [http-8080-2] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository  -No SecurityContext was available from the HttpSession: null. A new one will be created.
6140 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -/control/login?lp=FNB at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
6140 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -/control/login?lp=FNB at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
6140 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -/control/login?lp=FNB at position 4 of 9 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
6140 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -/control/login?lp=FNB at position 5 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
6140 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -/control/login?lp=FNB at position 6 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
6140 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -/control/login?lp=FNB at position 7 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
6140 [http-8080-2] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter  -Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
6140 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -/control/login?lp=FNB at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
6140 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -/control/login?lp=FNB at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
6140 [http-8080-2] DEBUG org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource  -Converted URL to lowercase, from: '/control/login'; to: '/control/login'
6140 [http-8080-2] DEBUG org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource  -Candidate is: '/control/login'; pattern is /control/login*; matched=true
6140 [http-8080-2] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor  -Secure object: FilterInvocation: URL: /control/login?lp=FNB; Attributes: [permitAll]
6140 [http-8080-2] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor  -Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
6140 [http-8080-2] DEBUG org.springframework.security.access.vote.AffirmativeBased  -Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1e2c841, returned: 1
6140 [http-8080-2] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor  -Authorization successful
6140 [http-8080-2] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor  -RunAsManager did not change Authentication object
6140 [http-8080-2] DEBUG org.springframework.security.web.FilterChainProxy  -/control/login?lp=FNB reached end of additional filter chain; proceeding with original chain
6156 [http-8080-2] DEBUG org.springframework.web.servlet.DispatcherServlet  -DispatcherServlet with name 'control' processing GET request for [/is/control/login]

I really need the entry point to be invoked anytime that a login prompt is required.

Does anyone have any suggestions?

Thanks In Advance,

Marty

[Rob Winch]

The AuthenticationEntryPoint is invoked any time the user is not authenticated and not authorized to access a page. In this case the AuthenticationEntryPoint is performing a redirect to the login page which allows anyone to access it, so the AuthenticationEntryPoint is not invoked when the login page is requested. In fact, this is good because otherwise you would have infinite redirects. If you want something to happen just before the login page is rendered you should do this in the controller for your login page (or Filter that is invoked prior to the processing of the url for the login page).

[MartyJones]

Rob,

Thanks for the info. I ended up doing what you suggested and it works fine.

Marty