"j_spring_security_check" not found after configuring spring security without http

[bwwlpnn]

Hi there
I’m trying to convert Spring Security configuration from HTTP namespace into direct configuration using FilterChainProxy. Before the conversion, everything was ok with HTTP namespace. But after replacing <http> element by several elements with FilterChainProxy, I got “j_spring_security_check not found” error while login to the system. I tried to change all or some of “/j_spring_security_check” with “/app/j_spring_security_check” but still could not login successfully.

My environment:
AppFuse 2.1 with Spring MVC, iBatis, Spring Security 3.0.7, tuckey urlrewrite 3.2.0, Spring 3.0.6
Windows 7
JDK 1.5.0_17
Maven 2.2.1
apache-tomcat-6.0.32

Security.xml (before conversion, everything is OK.)
-------------------------------------------------------------------------------------------
…
<http auto-config="true" lowercase-comparisons="false">
<intercept-url pattern="/images/**" filters="none"/>
<intercept-url pattern="/styles/**" filters="none"/>
<intercept-url pattern="/scripts/**" filters="none"/>
<intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
<form-login login-page="/login" authentication-failure-url="/login?error=true"
login-processing-url="/j_spring_security_check"/>
<remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66"/>
</http>

<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDao">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>
…

Security.xml (after replacing http namespace, "j_spring_security_check" not found)
-------------------------------------------------------------------------------------------
<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChai nProxy">
<filter-chain-map path-type="ant">
<filter-chain pattern="/images/**" filters="none"/>
<filter-chain pattern="/styles/**" filters="none"/>
<filter-chain pattern="/scripts/**" filters="none"/>
<filter-chain pattern="/app/**" filters="
securityContextPersistenceFilter,
authenticationProcessingFilter,
exceptionTranslationFilter,
filterSecurityInterceptor"/>
</filter-chain-map>
</beans:bean>

<beans:bean id="securityContextPersistenceFilter"
class="org.springframework.security.web.context.Se curityContextPersistenceFilter">
</beans:bean>

<beans:bean id="authenticationProcessingFilter"
class="org.springframework.security.web.authentica tion.UsernamePasswordAuthenticationFilter">
<beans: property name="authenticationManager" ref="authenticationManager"/>
<beans: property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
<beans: property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
<beans: property name="filterProcessesUrl" value="/j_spring_security_check"/>
</beans:bean>

<beans:bean id="authenticationSuccessHandler"
class="org.springframework.security.web.authentica tion.SimpleUrlAuthenticationSuccessHandler">
<beans: property name="defaultTargetUrl" value="/mainMenu"/>
</beans:bean>

<beans:bean id="authenticationFailureHandler"
class="org.springframework.security.web.authentica tion.SimpleUrlAuthenticationFailureHandler">
<beans: property name="defaultFailureUrl" value="/login.jsp"/>
</beans:bean>

<beans:bean id="exceptionTranslationFilter"
class="org.springframework.security.web.access.Exc eptionTranslationFilter">
<beans: property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
<beans: property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</beans:bean>

<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentica tion.LoginUrlAuthenticationEntryPoint">
<beans: property name="loginFormUrl" value="/login.jsp"/>
</beans:bean>

<beans:bean id="accessDeniedHandler"
class="org.springframework.security.web.access.Acc essDeniedHandlerImpl">
<beans: property name="errorPage" value="/403.jsp"/>
</beans:bean>

<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.int ercept.FilterSecurityInterceptor">
<beans: property name="authenticationManager" ref="authenticationManager"/>
<beans: property name="accessDecisionManager" ref="accessDecisionManager"/>
<beans: property name="securityMetadataSource">
<filter-security-metadata-source>
<intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
</filter-security-metadata-source>
</beans: property>
</beans:bean>

<beans:bean id="myFilterInvocationSecurityMetadataSource"
class="com.tangram.ebiz.webapp.authentication.MyFi lterInvocationSecurityMetadataSource">
</beans:bean>

<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.Af firmativeBased">
<beans: property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.Ro leVoter">
<beans: property name="rolePrefix" value="ROLE_"/>
</beans:bean>
<beans:bean
class="org.springframework.security.access.vote.Au thenticatedVoter"/>
</beans:list>
</beans: property>
</beans:bean>

<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDao">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
</authentication-manager>

Login.jsp
-------------------------------------------------------------------------------------------
<form method="post" id="loginForm" action="<c:url value='/j_spring_security_check'/>" onsubmit="saveUsername(this);return validateForm(this)">
…
<li>
<label for="j_username" class="required desc"><fmt:message key="label.username"/> <span class="req">*</span></label>
<input type="text" class="text medium" name="j_username" id="j_username" tabindex="1" />
</li>
<li>
<label for="j_password" class="required desc"><fmt:message key="label.password"/> <span class="req">*</span></label>
<input type="password" class="text medium" name="j_password" id="j_password" tabindex="2" />
</li>
…
</form>

Urlrewrite.xml
-------------------------------------------------------------------------------------------
<urlrewrite default-match-type="wildcard">
…
<!-- Add rules here for anything that shouldn't be served up by Spring MVC. -->
<rule>
<from>/</from>
<to type="redirect" last="true">mainMenu</to>
</rule>

<rule>
<from>/app/**</from>
<to last="true" type="redirect">%{context-path}/$1</to>
</rule>

<rule>
<from>/j_spring_security_check**</from>
<to last="true">/j_spring_security_check$1</to>
</rule>
…
<!-- Spring MVC -->
<rule>
<from>/**</from>
<to>/app/$1</to>
</rule>

<outbound-rule>
<from>/app/**</from>
<to>/$1</to>
</outbound-rule>
…
</urlrewrite>

[Rob Winch]

Why are you trying to avoid using the namespace? Perhaps there is a way you can still use it (it simplifies things a lot). The reason j_spring_security_check is not found is the spring config does not have the UsernamePasswordAuthenticationFilter. See this blog post to learn more about

PS: I would avoid using URLRewriteFilter if possible. If you are just wanting to do resful URLs you can do this by mapping your servlet to the default servlet. You can search the forums for ways to avoid using UrlRewriteFilter

[bwwlpnn]

I avoided using the namespace because my customers wanted me to define the secured URLs dynamically and manage roles in database(see http://static.springsource.org/sprin...c-url-metadata). After fixing the j_spring_security_check issue, I'll redefine securityMetadataSource to reference to myFilterInvocationSecurityMetadataSource and add attributes (roles) from database.

<beans: property name="securityMetadataSource" ref="myFilterInvocationSecurityMetadataSource"/>

I have defined UsernamePasswordAuthenticationFilter in security.xml.

<beans:bean id="authenticationProcessingFilter"
class="org.springframework.security.web.authentica tion.UsernamePasswordAuthenticationFilter">
<beans: property name="authenticationManager" ref="authenticationManager"/>
<beans: property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"/>
<beans: property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
<beans: property name="filterProcessesUrl" value="/j_spring_security_check"/>
</beans:bean>

I'll have a try to disable urlrewritefilter.

[Rob Winch]

If you only want to deviate from the namespace a little bit this faq entry may help.

[bwwlpnn]

Why are you trying to avoid using the namespace? Perhaps there is a way you can still use it (it simplifies things a lot). The reason j_spring_security_check is not found is the spring config does not have the UsernamePasswordAuthenticationFilter. See this blog post to learn more about

Finally I fixed it myself.

While debugging the doFilter() method of SecurityContextPersistenceFilter without Spring security namespace, I found that contextBeforeChainExecution and contextAfterChainExecution were null. But when debugging the program with namespace the value of both of them were something about Anonymous.

I added “/j_spring_security_check” and “/login” with “IS_AUTHENTICATED_ANONYMOUSLY” access in securityMetadataSource as shown below and the problem was solved.

<beans: property name="securityMetadataSource">
<filter-security-metadata-source>
<intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/app/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/signup*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/app/**" access="ROLE_ADMIN,ROLE_USER"/>
</filter-security-metadata-source>
</beans: property>

Thank you, rwinch! The blog post really helped me a lot!

[srk1974]

Hi ,
I am new to spring security. I am trying to use multiple http elements so that I can have different authentication managers for different urls. I am using form authentication with a jsp page. The problem is that I if dont add a pattern to http element, I can use more than one http element, and I add a pattern element, I get j_spring_security_check. My spring-security.xml is as follows

<security:http auto-config="true" use-expressions="true" authentication-manager-ref="superAdmin" pattern="/admin/**">
<security:intercept-url pattern="/adminLogin*" access="isAnonymous()"/>
<security:intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
<security:form-login
login-page="/adminLogin.jsp"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/loginFailed.html"
authentication-success-handler-ref="myAuthSuccessHandler"
always-use-default-target="true"/>
</security:http>

<security:authentication-manager id="superAdmin">
<security:authentication-provider>
<!-- <password-encoder hash="md5"/> -->
<security:jdbc-user-service data-source-ref="dataSources"

users-by-username-query="
select username,password,true
from Admin where username=?"

authorities-by-username-query="
select username,'ROLE_ADMIN_USER' from Admin where username=?" />
</security:authentication-provider>
</security:authentication-manager>



Please help me
The following is commented at this point of time, since it is not really necessary at this point of time
<security:http use-expressions="true" authentication-manager-ref="organizationAdmin" pattern="/organizationAdmin/*">
<security:intercept-url pattern="/organizationLogin*" access="isAnonymous()"/>
<security:intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
<security:form-login
login-page="/orgAdminLogin.jsp"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/loginFailed.html"
authentication-success-handler-ref="myAuthSuccessHandler"
always-use-default-target="true"/>
</security:http>
<security:authentication-manager id="organizationAdmin">
<security:authentication-provider>

<security:jdbc-user-service data-source-ref="dataSources"

users-by-username-query="
select username,password,true
from Admin where username=?"

authorities-by-username-query="
select username,'ROLE_ADMIN_USER' from Admin where username=?" />
</security:authentication-provider>
</security:authentication-manager>

-->





<security:http use-expressions="true" disable-url-rewriting="true" authentication-manager-ref="orgAdmin" pattern="/organizationAdmin/*">

<security:intercept-url pattern="/organizationAdmin/*" access="hasRole('ROLE_ORG_USER')" />
<security:http-basic />
</security:http>

<security:authentication-manager id="orgAdmin">
<security:authentication-provider>

<password-encoder hash="md5"/>
<security:jdbc-user-service data-source-ref="dataSources"

users-by-username-query="
select username,password,true
from OrganizationAdmin where username=?"
authorities-by-username-query="
select username,'ROLE_ORG_USER' from OrganizationAdmin where username=?" />
</security:authentication-provider>
</security:authentication-manager>


<security:http use-expressions="true" disable-url-rewriting="true" authentication-manager-ref="superAdmin" pattern="/admin/*">

<security:intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN_USER')" />
<security:http-basic />
</security:http>

<security:authentication-manager id="superAdmin">
<security:authentication-provider>
<password-encoder hash="md5"/>
<security:jdbc-user-service data-source-ref="dataSources"

users-by-username-query="
select username,password,true
from Admin where username=?"

authorities-by-username-query="
select username,'ROLE_ADMIN_USER' from Admin where username=?" />
</security:authentication-provider>
</security:authentication-manager>


<security:http use-expressions="true" disable-url-rewriting="true" authentication-manager-ref="orgAdmin" pattern="/rest/adminLogin">


<security:intercept-url pattern="/rest/adminLogin" access="hasRole('ROLE_ORG_USER')" />
<security:http-basic />
</security:http>

[srk1974]

sorry, I forgot to post web.xml
<web-app id="WebApp_ID" version="3.0"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_3_0.xsd">

<display-name>Spring Web MVC Application</display-name>

<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherSe rvlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>

<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/mvc-dispatcher-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>

<listener>
<listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

</web-app>