Spring Security logout error login

[tomarts]

hi my problem is when i logout and try to login again it shows me this mensage:

{"rs":[]}
and dont show anything, the page stay in blank.

after that the url of my application shows:
http://localhost:8084/ManejoyControl...esktop&opt_0=i
normaly is:
http://localhost:8084/ManejoyControldeEquipos/

i am using spring security and zk framework.

i am using basic configuration:

Code:

 <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/**" access="isAuthenticated()"  />
</http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="tomas" password="america" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
                <user name="tomas2" password="america2" authorities="ROLE_USER,ROLE_TELLER" />
                <user name="tomas3" password="america3" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

[Rob Winch]

Can you be a little more detailed in the steps to reproduce? It sounds as though the logout page has an asynchronous request to a protected resource that is protected (i.e. javascript, css, image, etc). By default after logging in Spring Security will send you to the last protected URL that was requested.

[tomarts]

well when the app start it shows the spring login page then i log it and shows me index.zul, i have a link to logout "<a href="/j_spring_security_logout">Salir</a>" when i click it shows me the login page again but when i try to log with the same user again it shows me this {"rs":[]} and dont show index.zul.

i am using zk framework, spring security 3.

[Rob Winch]

So that sounds to me like the guess was correct. A few options to resolve your issue are

• Prevent the application from requesting http://localhost:8084/ManejoyControl...esktop&opt_0=i while you are logged out. This can be done by removing the request to those resources or by using access="permitAll"
• Specify form-login@default-target-url and form-login@always-use-default-target="true"
• Create a modified version of HttpSessionRequestCache which prevents requests to javascript from being saved. You can then wire this custom implementation into your Spring configuration using http/request-cache@ref

[tomarts]

i Specify form-login@default-target-url now it shows the "Processing..." zk message and dont show login page just stay loading and no more

this is the config:

<global-method-security pre-post-annotations="enabled">

</global-method-security>

<http auto-config="true" use-expressions="true">


<intercept-url pattern="/folder/**" access="permitAll" />

<form-login login-page="/manejoUsuario/loginUser.zul" default-target-url="/index.zul"/>
<intercept-url pattern="/**" access="isAuthenticated()" />

</http>

<authentication-manager>
<authentication-provider>

<user-service>
<user name="tomas" password="america" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
<user name="tomas2" password="america2" authorities="ROLE_USER,ROLE_TELLER" />
<user name="tomas3" password="america3" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>

this is the zul login page

<?xml version="1.0" encoding="UTF-8"?>
<?init class="org.zkoss.zkplus.databind.AnnotateDataBinde rInit"?>
<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableR esolver"?>
<div height="100%" >
<groupbox>
<caption>Login</caption>
<h:form id="f" name="f" action="j_spring_security_check" method="POST"
xmlns:h="http://www.w3.org/1999/xhtml">
<grid>
<rows>
<row>User:
<textbox id="u" name="j_username"/>
</row>
<row>Password:
<textbox id="p" type="password" name="j_password"/>
</row>
<!--<row>
<checkbox id="r" name="_spring_security_remember_me"/>Don't ask for my password for two weeks
</row>-->
<row spans="2">
<hbox>
<h:input type="submit" value="Submit Query"/>
<h:input type="reset" value="Reset"/>
</hbox>
</row>
</rows>
</grid>
</h:form>
</groupbox>
</div>

[Rob Winch]

For that solution you also need to specify form-login@always-use-default-target="true"

[tomarts]

the solution didnt work, still it showing the "Processing..." zk message, now i use Google Chrome console and get a error, and dont do anything just stay like this pic:
Captura.jpg

[Rob Winch]

If you go to /index.zul after you login does it display that page or does it display the login page? You might also try enabling logging for Spring Security. If the logs do not help you post them and perhaps I can figure out what is happening.

[tomarts]

ok i enable the log trace and it shows this:

6097 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - Converted URL to lowercase, from: '/index.zul'; to: '/index.zul'
6097 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - Candidate is: '/index.zul'; pattern is /**; matched=true
6100 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /index.zul at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.context.Security ContextPersistenceFilter@200bde'
6182 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.context.HttpSessi onSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
6182 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.context.HttpSessi onSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@ 1eb41d6. A new one will be created.
6186 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /index.zul at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.l ogout.LogoutFilter@1c5b828'
6232 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /index.zul at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.U sernamePasswordAuthenticationFilter@1bd8993'
6232 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /index.zul at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.www.BasicAuthenticationFilter@934c3b'
6232 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /index.zul at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.Req uestCacheAwareFilter@71dfd7'
6282 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.savedrequest.Defa ultSavedRequest - pathInfo: arg1=/web/_zv2011083110/js/zul.lang.wpd; arg2=null (property not equals)
6282 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.savedrequest.Http SessionRequestCache - saved request doesn't match
6282 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /index.zul at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.Secur ityContextHolderAwareRequestFilter@1ebf5c'
6334 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /index.zul at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.A nonymousAuthenticationFilter@153d05b'
6335 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.authentication.An onymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.Anony mousAuthenticationToken@6fa90ed4: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 5E561E9D9CF742C335447DCA2CE37B3C; Granted Authorities: ROLE_ANONYMOUS'
6382 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /index.zul at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionM anagementFilter@194363b'
6382 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /index.zul at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.access.Exception TranslationFilter@17470d0'
6382 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /index.zul at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept .FilterSecurityInterceptor@19a8942'
6432 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.access.expression .ExpressionBasedFilterInvocationSecurityMetadataSo urce - Converted URL to lowercase, from: '/index.zul'; to: '/index.zul'
6432 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.access.expression .ExpressionBasedFilterInvocationSecurityMetadataSo urce - Candidate is: '/index.zul'; pattern is /manejousuario/**; matched=false
6432 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.access.expression .ExpressionBasedFilterInvocationSecurityMetadataSo urce - Candidate is: '/index.zul'; pattern is /**; matched=true
6482 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /index.zul; Attributes: [hasRole('ROLE_USER')]
6482 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.Anonym ousAuthenticationToken@6fa90ed4: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 5E561E9D9CF742C335447DCA2CE37B3C; Granted Authorities: ROLE_ANONYMOUS
6596 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.access.vote.Affirmati veBased - Voter: org.springframework.security.web.access.expression .WebExpressionVoter@17b650a, returned: -1
6598 ["http-bio-8084"-exec-5] DEBUG org.springframework.security.web.access.ExceptionT ranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedEx ception: Access is denied

i dont know what means but i can see a error "org.springframework.security.access.AccessDeniedE xception: Access is denied" and dont display loggin page, just stay in processing zk message

[Rob Winch]

Please post the logs for the entire problem (i.e. starting from when the user logs in the first time and ending when they try to login the second time).