UserName becoming empty before searching in Spring security 3.1 : Please Help

[raja_s_patil]

Hello Friends,

Merry Xmas.

Few years ago I have developed and implemented Flex-Spring-Mybatis-Firebird application with
old spring. Now I am developing a new project and decided to use Spring 3.1 release. I have copied
config files from old application and tuned them to Spring 3.1. Since its a early stage of project
I am trying to test security only on few jsp pages with inmemory authentication. The security config
and the partial log is as below.

When I try to login with any user name and password the Bad Credentials error is thrown. When I try to
access secured pages it takes me to login page this functionality is as expected. I tried with debug log
and noted that when user is being searched its getting empty string to verify against inmemory list.

Can somebody help me in this situation ?

Thanks and warm regards.

Raja

the security xml file

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schem...curity-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

<security:http pattern="/index.jsp" security="none"/>
<security:http pattern="/pngfix.htc" security="none"/>
<security:http pattern="/Tej-EIS.css" security="none"/>
<security:http pattern="/trans.gif" security="none"/>
<security:http pattern="/images/**" security="none"/>
<security:http pattern="/WEB-Plain/**" security="none"/>
<security:http pattern="/TEJSYMB-3.png" security="none"/>


<security:http access-decision-manager-ref="accessDecisionManagerRoleBased"
access-denied-page="/index.jsp?access_denied=1"
>

<security:intercept-url pattern="/spring/messagebroker/**" access="ROLE_ANONYMOUS"/>

<security:intercept-url pattern="/WEB-Flex/**" access="ROLE_AUTHENTICATED"/>
<security:intercept-url pattern="/utility/**" access="ROLE_AUTHENTICATED"/>
<security:intercept-url pattern="/temp/**" access="ROLE_AUTHENTICATED"/>
<security:intercept-url pattern="/reports/**" access="ROLE_AUTHENTICATED"/>
<security:intercept-url pattern="/**" access="ROLE_AUTHENTICATED"/>

<security:form-login login-page="/index.jsp?do_login=1"
default-target-url="/index.jsp?login_success=1"
authentication-failure-url="/index.jsp?login_error=1"
/>

<security:logout logout-success-url="/index.jsp?logged_out=1" invalidate-session="true" />

<security:session-management invalid-session-url="/index.jsp?invalid_session=1"
session-fixation-protection="migrateSession">
<security:concurrency-control
max-sessions="100"
error-if-maximum-exceeded="true"
expired-url="/index.jsp?session_expired=1"
session-registry-ref="sessionRegistry"
/>
</security:session-management>

</security:http>

<bean id="sessionRegistry"
class="org.springframework.security.core.session.S essionRegistryImpl"/>

<alias name="roleHierarchyVoter" alias="customAccessVoter"/>
<alias name="inMemoryuserDetailsService" alias="customUserDetailsService"/>

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<securityassword-encoder hash="plaintext" />
<security:user-service id="inMemoryuserDetailsService" >
<security:user name="owner" password="test" authorities="ROLE_OWNER" disabled="false"/>
<security:user name="ceo" password="test" authorities="ROLE_CEO" disabled="false"/>
<security:user name="srmgr" password="test" authorities="ROLE_SR_MGR" disabled="false"/>
<security:user name="mgr" password="test" authorities="ROLE_MGR" disabled="false"/>
<security:user name="opr" password="test" authorities="ROLE_OPR" disabled="false"/>
<security:user name="user" password="test" authorities="ROLE_USER" disabled="false"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>

<bean id="roleHierarchy" class="org.springframework.security.access.hierarc hicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_OWNER > ROLE_CEO
ROLE_CEO > ROLE_SR_MGR
ROLE_SR_MGR > ROLE_MGR
ROLE_MGR > ROLE_OPR
ROLE_OPR > ROLE_USER
ROLE_USER > ROLE_AUTHENTICATED
ROLE_AUTHENTICATED > ROLE_ANONYMOUS
</value>
</property>
</bean>

<bean id="roleHierarchyVoter" class="org.springframework.security.access.vote.Ro leHierarchyVoter">
<constructor-arg ref="roleHierarchy"/>
</bean>

<bean id="accessDecisionManagerRoleBased"
class="org.springframework.security.access.vote.Un animousBased">
<constructor-arg name="decisionVoters">
<list>
<ref bean="roleHierarchyVoter"/>
</list>
</constructor-arg>
<property name="allowIfAllAbstainDecisions" value="true" />
</bean>

<bean id="accessDecisionManagerCustom"
class="org.springframework.security.access.vote.Un animousBased">
<constructor-arg name="decisionVoters">
<list>
<ref bean="customAccessVoter"/>
</list>
</constructor-arg>
<property name="allowIfAllAbstainDecisions" value="true" />
</bean>
<bean id="authLoggerListener" class="org.springframework.security.authentication .event.LoggerListener"/>

</beans>

The Partial log

09:55:39 355 DEBUG /j_spring_security_check at position 1 of 10 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
09:55:39 355 DEBUG /j_spring_security_check at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
09:55:39 355 DEBUG HttpSession returned null object for SPRING_SECURITY_CONTEXT
09:55:39 355 DEBUG No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@ 478dabf1. A new one will be created.
09:55:39 358 DEBUG /j_spring_security_check at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'


09:55:39 358 DEBUG /j_spring_security_check at position 4 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
09:55:39 359 DEBUG Request is to process authentication
09:55:39 359 DEBUG Authentication attempt using org.springframework.security.authentication.dao.Da oAuthenticationProvider
09:55:39 360 DEBUG User '' not found
09:55:39 360 WARN Authentication event AuthenticationFailureBadCredentialsEvent: ; details: org.springframework.security.web.authentication.We bAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: D79E6639229F0FA1CDB8F4A1F8D6E101; exception: Bad credentials
09:55:39 361 DEBUG Authentication request failed: org.springframework.security.authentication.BadCre dentialsException: Bad credentials


09:55:39 361 DEBUG Updated SecurityContextHolder to contain null Authentication
09:55:39 361 DEBUG Delegating to authentication failure handlerorg.springframework.security.web.authentica tion.SimpleUrlAuthenticationFailureHandler@2f1aa58 b
09:55:39 362 DEBUG Redirecting to /index.jsp?login_error=1
09:55:39 363 DEBUG Redirecting to '/Tej-EIS-31/index.jsp?login_error=1'
09:55:39 363 DEBUG SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.

[swang30]

Can you also post the HTPP call that you are making? perhaps your j_username setting is not correct?

[raja_s_patil]

Thanks swang30,

Surely, part of index.jsp related to login form is as below. However before posting I changed form method to "get" and the URL in browser was showing proper j_username and j_password parameters.

The loginform

<div id="wb_LoginForm" style="position:absolute;left:291px;top:218px;widt h:291px;height:129px;z-index:22;">
<form name="LoginForm" method="post" action="<c:url value='/j_spring_security_check'/>" enctype="text/plain" id="LoginForm">
<div id="wb_LoginText6" style="position:absolute;left:5px;top:11px;width:1 06px;height:18px;z-index:10;">
<div style="position:absolute;left:0px;top:0px;width:10 6px;height:17px;"><span style="color:#0066FF;font-family:Tahoma;font-size:15px;"><strong>User Name</strong></span></div>
</div>
<div id="wb_LoginText5" style="position:absolute;left:5px;top:42px;width:1 06px;height:18px;z-index:11;">
<div style="position:absolute;left:0px;top:0px;width:10 6px;height:17px;"><span style="color:#0066FF;font-family:Tahoma;font-size:15px;"><strong>Password</strong></span></div>
</div>
<div id="wb_LoginText7" style="position:absolute;left:10px;top:70px;width: 255px;height:14px;text-align:right;z-index:12;">
<div style="position:absolute;left:0px;top:0px;width:25 5px;height:14px;"><span style="color:#0066FF;font-family:Tahoma;font-size:12px;"><strong>Remember Me (15 Days)</strong></span></div>
</div>
<input type="text" id="UserNameEditbox" style="position:absolute;left:114px;top:8px;width: 168px;height:20px;line-height:20px;z-index:13;" name="j_username" value="<c:if test='${not empty param.login_error}'> <c:out value='${SPRING_SECURITY_LAST_USERNAME}'/></c:if>" tabindex="1" title="User Name">
<input type="password" id="PasswordEditbox" style="position:absolute;left:114px;top:39px;width :168px;height:19px;line-height:19px;z-index:14;" name="j_password" value="" tabindex="2" title="Password">
<input type="checkbox" id="RememberMeCheckbox" name="_spring_security_remember_me" value="" style="position:absolute;left:268px;top:69px;z-index:15;" tabindex="3" title="Remember Me">
<input type="submit" id="LoginButton" name="submit" value="Log In" class="buttons" style="position:absolute;left:114px;top:95px;width :77px;height:25px;z-index:16;" tabindex="4" title="Login Button">
<input type="reset" id="ResetButton" name="reset" value="Reset" class="buttons" style="position:absolute;left:207px;top:95px;width :77px;height:25px;z-index:17;" tabindex="5" title="Reset Button">
</form>
</div>

[swang30]

/j_spring_security_check expects a POST, is there any reason you need it to be a GET? Also, I meant the actual HTTP request, say through TCP mon or something similar...

[raja_s_patil]

Thanks swang30,

/j_spring_security_check expects a POST, is there any reason you need it to be a GET? Also, I meant the actual HTTP request, say through TCP mon or something similar...

well Since I was not able to use tcp mon in STS at that time. so as quick & dirty solution to check whether browser sends j_username & j_password parameters correctly, temporarily i changed form method to "get" and saw the url and immediately changed back to "post".
if you check part of jsp above the form method is "post" only.

Today I read about how to configure TCP/IP monitor in eclipse and got that working. The authentication request posts j_username=ceo j_password=test and "Log In" as parameters to /j_security_check so browser is at no fault. But the debug log above shows that "user '' not found" its expected as user 'ceo' not found and this is the exact problem area.

BTW can there be any mismatch in dependency jars ? here is list of files in lib folder.

apache-log4j-extras-1.1.jar
avalon-framework-4.1.3.jar
backport-util-concurrent-3.1.jar
cfgatewayadapter.jar
cglib-nodep-2.2.2.jar
commons-beanutils-1.8.3.jar
commons-beanutils-bean-collections-1.8.3.jar
commons-beanutils-core-1.8.3.jar
commons-codec-1.6.jar
commons-collections-3.2.1.jar
commons-dbcp-1.4.jar
commons-digester-1.7.jar
commons-io-2.1.jar
commons-lang-2.6.jar
commons-logging-1.1.1.jar
commons-logging-adapters-1.1.1.jar
commons-logging-api-1.1.1.jar
commons-math-2.2.jar
commons-pool-1.5.6.jar
com.springsource.org.antlr-3.1.3.jar
com.springsource.org.aopalliance-1.0.0.jar
concurrent-1.3.4.jar
dom4j-1.6.1.jar
dozer-5.3.2.jar
ehcache-core-2.0.0.jar
flex-messaging-common.jar
flex-messaging-core.jar
flex-messaging-opt.jar
flex-messaging-proxy.jar
flex-messaging-remoting.jar
flex-rds-server.jar
httpclient-4.1.jar
httpclient-cache-4.1.jar
httpcore-4.1.jar
httpmime-4.1.jar
iText-2.1.7.jar
jackson-core-asl-1.9.2.jar
jars.txt
jasperreports-4.5.0.jar
jasperreports-applet-4.5.0.jar
jasperreports-fonts-4.5.0.jar
jasperreports-javaflow-4.5.0.jar
jaybird-full-2.1.6.jar
jaybird-pool-2.1.6.jar
joda-time-2.0.jar
jstl-1.2.jar
log4j-1.2.16.jar
logkit-1.0.1.jar
mybatis-3.0.6.jar
mybatis-ehcache-1.0.0.jar
mybatis-oscache-1.0.0.jar
mybatis-spring-1.0.2.jar

all jars from springframework 3.1.0 dist folder

oscache-2.4.jar
poi-3.7-20101029.jar
rspUtils-17-Dec-2011.jar
slf4j-api-1.6.4.jar
slf4j-jcl-1.6.4.jar
slf4j-jdk14-1.6.4.jar
slf4j-log4j12-1.6.4.jar
spring-flex-core-1.5.2.RELEASE.jar

All jars from spring security 3.1.0 dist folder

standard-1.1.2.jar
xalan-2.7.1.jar

[raja_s_patil]

Thanks swang30 for shifting my focus from xml to jsp,

I have resolved the problem and authentication is running fine.

The culprit was index.jsp form declaration.

<form name="LoginForm" method="post" action="<c:url value='/j_spring_security_check'/>" enctype="text/plain" id="LoginForm">

the attribute enctype="text/plain" was causing sending post request with each parameter in separate line like
j_username=ceo
j_password=test
submit=Submit Query

rather then which spring security expected as
....?j_username=ceo&j_password=test&submit=Submit+ Query

I removed enctype="text/plain" from form definition and spring security started processing the login request as desired.

Your suggestion to use TCP mon helped me this regard, Thanks a lot for that suggestion. It a good addition to my knowledge about debugging HTTP request/response communication. It will very useful in future application developments.

Thanks and warm regards

Raja