Results 1 to 2 of 2

Thread: BadCredentialsException after migrating to Spring Security 3.1

  1. Mar 24th, 2012, 02:32 AM #1
    darshan.shroff
    darshan.shroff is offline Junior Member
    Join Date
    Aug 2010
    Posts
    12

    Default BadCredentialsException after migrating to Spring Security 3.1

    I have recently upgraded to spring-security-xxx-3.1.0 from 3.0.5.
    In 3.0.5, i was using filters=none tag in the intercept-url tag for unprotecting urls.
    Since it is not availible now in 3.1, i had to modify my security config xml to look as below :-
    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
	
	<http pattern="/index.action*" security="none"> </http>
	<http pattern="/index.jsp" security="none"> </http>
	<http pattern="/jsp/login.jsp" security="none"> </http>
	<http pattern="/css/*" security="none"> </http>
	<http pattern="/js/*" security="none"> </http>
	<http pattern="/forgotPassword.action*" security="none"> </http>
	<http pattern="/registerUser.action" security="none"> </http>

	<http auto-config='true' use-expressions="true"  >
		<intercept-url pattern="/*.action" access="isAuthenticated()" />
		
		<form-login login-page="/jsp/login.jsp" authentication-failure-url="/jsp/login.jsp?login_error=1" 
		authentication-success-handler-ref="xyzLoginSuccessHandler"  />
		<logout logout-success-url="/jsp/login.jsp"  />
	</http>
 	
	<authentication-manager>
		<authentication-provider user-service-ref="xyzUserDetailsService" />
	</authentication-manager>

</beans:beans>
    At app startup, the login page shows up. User Enters details. Login is successful. home.action is displayed.
    I try browsing in the application, trying any other secured xyz.action. The application logs out automatically, with login page being shown.

    The error stack trace i get from Spring is as below :-
    Code:
    [24/03/12 12:52:54] DEBUG Authentication failed: no credentials provided
[24/03/12 12:52:54] DEBUG Authentication failed: no credentials provided
[24/03/12 12:52:54] DEBUG Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.authentication.BadCredentialsException: Bad credentials
	at org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:58)
	at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:149)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.authenticateIfRequired(AbstractSecurityInterceptor.java:304)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:201)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[24/03/12 12:52:54] DEBUG DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/company/xyz.action]
[24/03/12 12:52:54] DEBUG Calling Authentication entry point.
[24/03/12 12:52:54] DEBUG Redirecting to 'http://localhost:8080/company/jsp/login.jsp'
[24/03/12 12:52:54] DEBUG SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    Any pointers as to what i am doing wrong. ?
    Not much help available on the web for 3.1. I am thinking of going back to 3.0.5.

    Regards,
    Darshan Shroff
    http://in.linkedin.com/in/darshanshroff
    Reply With Quote Reply With Quote
  2. Mar 25th, 2012, 02:15 PM #2
    weedobooty
    weedobooty is offline Junior Member
    Join Date
    Oct 2011
    Posts
    27

    Default

    Hello Darshan.

    I reviewed your post at your request to see if it was related to an other post i made a while ago. I am sorry, but this is not the same problem that i had. I am not an expert at this, but my understanding is that filters="none" should be replaced by access="IS_AUTHENTICATED_ANONYMOUSLY". I may even be wrong, but you might consider giving it a try.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules