Error setting form-login

**liviass** · Jul 14th, 2011, 02:14 PM

Hi, I've just got the book I order (Packt's Spring Security 3) and can't wai to test what I'm learning.

I did the basic example the book ilustrate on chapter 2, but now I want to customize my login page. Even though it looks simple (just create a login.jsp page and configure it using <form-login>) it keeps sending a really weird error:

Code:

Jul 14, 2011 3:59:55 PM org.springframework.web.context.ContextLoader initWebApplicationContext
SEVERE: Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init method failed; nested exception is java.lang.IllegalStateException: MessageSource not initialized - call 'refresh' before accessing messages via the context: Root WebApplicationContext: startup date [Thu Jul 14 15:59:54 BRT 2011]; root of context hierarchy

I really don't know what it is about, but here's the applicationContext-security.xml I'm using:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
						http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security 
                        http://www.springframework.org/schema/security/spring-security-3.1.xsd">
	<debug />
	<http auto-config="true">
		<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=invalido"/>
		<intercept-url pattern="/admin/*" access="ROLE_ADMIN" />
		<intercept-url pattern="/*" access="ROLE_USER" />
	</http>
	<authentication-manager>
		<authentication-provider>
			<user-service>
				<user name="admin" password="admin" authorities="ROLE_USER,ROLE_ADMIN" />
				<user name="teste" password="teste" authorities="ROLE_USER" />
			</user-service>
		</authentication-provider>
	</authentication-manager>
</beans:beans>

Thanks anyway.

**Luke Taylor** · Jul 14th, 2011, 03:07 PM

I have never seen this error before and I doubt if it has anything to do with setting a custom login page. Are you saying that it works if you don't?

I would use one of the sample applications as a starting point to make sure you don't have some odd classpath issue going on. Also, make sure you have debug logging enabled in your app.

**liviass** · Jul 14th, 2011, 03:16 PM

Hi Luke

Originally Posted by Luke Taylor

I have never seen this error before and I doubt if it has anything to do with setting a custom login page. Are you saying that it works if you don't?

It works just fine when I take the <form-login> line!

Originally Posted by Luke Taylor

I would use one of the sample applications as a starting point to make sure you don't have some odd classpath issue going on. Also, make sure you have debug logging enabled in your app.

I'm not sure if it has something to do with spring versions, but here are the jars I'm using:

commons-codec-1.4.jar
commons-logging-1.1.1.jar
spring-aop-3.0.5.RELEASE.jar
spring-asm-3.0.5.RELEASE.jar
spring-beans-3.0.5.RELEASE.jar
spring-context-3.0.5.RELEASE.jar
spring-context-support-3.0.5.RELEASE.jar
spring-core-3.0.5.RELEASE.jar
spring-expression-3.0.5.RELEASE.jar
spring-security-config-3.1.0.RC2.jar
spring-security-core-3.1.0.RC2.jar
spring-security-taglibs-3.1.0.RC2.jar
spring-security-web-3.1.0.RC2.jar
spring-web-3.0.5.RELEASE.jar

Thanks.

**Rob Winch** · Jul 18th, 2011, 08:24 AM

Have you enabled debugging and looked at the logs? What do the logs say? If that doesn't help try posting the logs with the code tags (i.e. # button).

**chavocarlos** · Sep 9th, 2011, 08:43 AM

@liviass

Hi, I have the same error, Do your have resolved?

Regards.

CDS

**Aliaksandr** · Dec 29th, 2011, 12:42 PM

@Luke Taylor.
Hi. I found the reason for this error (probably, this is either configuration issue, or more realistically springframework/spring security issue).
Here is the stack trace (only the cause classes are included):

...
at org.springframework.context.support.AbstractApplic ationContext.getMessageSource(AbstractApplicationC ontext.java:1224)
at org.springframework.context.support.AbstractApplic ationContext.getMessage(AbstractApplicationContext .java:1206)
at org.springframework.context.support.MessageSourceA ccessor.getMessage(MessageSourceAccessor.java:83)
at org.springframework.security.access.vote.Affirmati veBased.decide(AffirmativeBased.java:83)
at org.springframework.security.config.http.DefaultFi lterChainValidator.checkLoginPageIsntProtected(DefaultFilterChainValidator.java:170)
at org.springframework.security.config.http.DefaultFi lterChainValidator.validate(DefaultFilterChainValidator.java:35)
at org.springframework.security.web.FilterChainProxy. afterPropertiesSet(FilterChainProxy.java:148)
...

The reason for this is the following:
1. /signin URL is protected, so DefaultFilterChainValidator.checkLoginPageIsntProt ected() is failed, and
2. AffirmativeBased.decide() tries to throw the exception:

...
if (deny > 0) {
throw new AccessDeniedException(messages.getMessage("Abstrac tAccessDecisionManager.accessDenied",
"Access is denied"));
}
...

3. Here message is extracted, and SpringSecurityMessageSource class is used for this purpose:

public class SpringSecurityMessageSource extends ResourceBundleMessageSource {

public SpringSecurityMessageSource() {
setBasename("org.springframework.security.messages ");
}

public static MessageSourceAccessor getAccessor() {
return new MessageSourceAccessor(new SpringSecurityMessageSource());
}
}

And actually if AbstractAccessDecisionManager didn't implement MessageSourceAware everything should work, because (see the attached screenshot), by unknown reason XmlWebApplicationContext is trying to rewrite the valid initialized MessageSourceAccessor (again see the screenshot) (yes, XmlWebApplicationContext implements MessageSource actually), but this behavior is weird (or do I miss something?).
4. And, of course, after this initialization messageSource is null, and the required message can't be retrieved.

This specific issue can be fixed by providing access (permitAll) to /signin (what really must be done), but this is not case, the case is how to fix this, that in the case of the error I could see the detailed message, and org.springframework.security.message would be used and not overridden.

And final notes, <debug/> is used, just if you are interested, and use spring security 3.1.0.RELEASE together with spring framework 3.1.0.RELEASE.
Here is link on the stackoverlow (screenshot is more viewable there http://stackoverflow.com/questions/8...fore-accessing)
SpringSecurity MessageResource.jpg
Thank you.

**Aliaksandr** · Jan 3rd, 2012, 03:19 PM

Probably this is because of the <debug/> usage too. See https://jira.springsource.org/browse/SEC-1885.

**jbbarquero** · Jan 19th, 2012, 11:01 AM

Thanks for the POST, you saved me from a lot of investigation.

Thread: Error setting form-login

Thread Tools

Display

Error setting form-login

I know the reason, but I don't know how to fix

Tags for this Thread

Posting Permissions