Results 1 to 5 of 5

Thread: Login success after a login failure causes strange behaviour

  1. Jul 5th, 2012, 09:14 AM #1
    MarkT85
    MarkT85 is offline Junior Member
    Join Date
    Jun 2012
    Posts
    10

    Default Login success after a login failure causes strange behaviour

    I've 99% completed setting up basic security for my MVC web app using Spring Security but I'm getting some very strange behaviour from my login form.

    When the login page first loads, I enter valid details and the user is successfully authenticated and redirected to the home page. If however, I enter incorrect details the login page reloads but without any error messages notifying the user of an incorrect password. If I then provide valid details the user authenticates but is then shown the login failure page instead of the home page. I can see from my stack traces that the security authenticates users at the correct time, but I don't seem to get error messages at the appropriate time.

    I've included the Controller, Login view and stack trace which shows an unsuccessful attempt followed by a successful one.

    Code:
    @Controller
@RequestMapping("/")
public class SecurityController
{
	@RequestMapping("/Login")
	public String login(Model model, @RequestParam(required=false) String message)
	{
		model.addAttribute("message", message);
		model.addAttribute(new Login());
		return "login";
	}

	@RequestMapping(value = "/Denied")
 	public String denied()
	{
		return "denied";
	}

	@RequestMapping(value = "/Login/Failure")
 	public String loginFailure()
	{
		String message = "Login Failure!";
		
		System.out.println(message);
		
		return "redirect:/Login?message="+message;
	}

	@RequestMapping(value = "/Logout/Success")
 	public String logoutSuccess()
	{
		String message = "Logout Success!";
		
		System.out.println(message);
		
		return "redirect:Home";
	}
}
    HTML Code:
    <div id="enter">
		<!-- <h1><a href="Home">Get<br />Started</a></h1> -->
		<form class="login-form" action="j_spring_security_check" method="post" >
		<fieldset>
			<p>
			<label for="j_username">Username</label>
			<input id="j_username" name="j_username" size="20" maxlength="50" type="text"/>
			</p>
			<p>
			<label for="j_password">Password</label>
			<input id="j_password" name="j_password" size="20" maxlength="50" type="password"/>
			</p>
			<p><input type="submit" value="Login"/></p>
		</fieldset>
	</form>
	<p class="message">${message}</p>
	</div>
    Reply With Quote Reply With Quote
  2. Jul 5th, 2012, 09:19 AM #2
    MarkT85
    MarkT85 is offline Junior Member
    Join Date
    Jun 2012
    Posts
    10

    Default

    After Unsuccessful Login


    DEBUG: org.springframework.security.web.util.AntPathReque stMatcher - Checking match of request : '/j_spring_security_check'; against '/resources/**'
    DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.Securit yContextImpl@49feaa3f: Authentication: org.springframework.security.authentication.Userna mePasswordAuthenticationToken@49feaa3f: Principal: org.springframework.security.core.userdetails.User @de3a80f: Username: JohnDoe; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 0172DA70AB90A82F586D2BA495B95CB1; Granted Authorities: ROLE_USER'
    DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
    DEBUG: org.springframework.security.web.authentication.Us ernamePasswordAuthenticationFilter - Request is to process authentication
    DEBUG: org.springframework.security.authentication.Provid erManager - Authentication attempt using org.springframework.security.authentication.dao.Da oAuthenticationProvider
    JohnDoe
    [ROLE_USER]
    [ROLE_USER]
    DEBUG: org.springframework.security.authentication.dao.Da oAuthenticationProvider - Authentication failed: password does not match stored value
    DEBUG: org.springframework.security.web.authentication.Us ernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCre dentialsException: Bad credentials
    DEBUG: org.springframework.security.web.authentication.Us ernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
    DEBUG: org.springframework.security.web.authentication.Us ernamePasswordAuthenticationFilter - Delegating to authentication failure handlerorg.springframework.security.web.authentica tion.SimpleUrlAuthenticationFailureHandler@4349e63 1
    DEBUG: org.springframework.security.web.authentication.Si mpleUrlAuthenticationFailureHandler - Redirecting to /Login/Failure
    DEBUG: org.springframework.security.web.DefaultRedirectSt rategy - Redirecting to '/CuttingEdge/Login/Failure'
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    DEBUG: org.springframework.security.web.context.SecurityC ontextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    DEBUG: org.springframework.security.web.util.AntPathReque stMatcher - Checking match of request : '/login/failure'; against '/resources/**'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login/Failure at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@ 21c71508. A new one will be created.
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login/Failure at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login/Failure at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login/Failure at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login/Failure at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login/Failure at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login/Failure at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    DEBUG: org.springframework.security.web.authentication.An onymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.Anony mousAuthenticationToken@6fa843a8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 61B713EBCCB94261161506802889C28D; Granted Authorities: ROLE_ANONYMOUS'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login/Failure at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login/Failure at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login/Failure at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    DEBUG: org.springframework.security.web.util.AntPathReque stMatcher - Checking match of request : '/login/failure'; against '/login'
    DEBUG: org.springframework.security.web.util.AntPathReque stMatcher - Checking match of request : '/login/failure'; against '/logout'
    DEBUG: org.springframework.security.web.util.AntPathReque stMatcher - Checking match of request : '/login/failure'; against '/denied'
    DEBUG: org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /Login/Failure; Attributes: [hasRole('ROLE_USER')]
    DEBUG: org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.Anonym ousAuthenticationToken@6fa843a8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 61B713EBCCB94261161506802889C28D; Granted Authorities: ROLE_ANONYMOUS
    DEBUG: org.springframework.security.access.vote.Affirmati veBased - Voter: org.springframework.security.web.access.expression .WebExpressionVoter@21e3cc77, returned: -1
    DEBUG: org.springframework.security.web.access.ExceptionT ranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
    org.springframework.security.access.AccessDeniedEx ception: Access is denied
    at org.springframework.security.access.vote.Affirmati veBased.decide(AffirmativeBased.java:83)
    at
    Reply With Quote Reply With Quote
  3. Jul 5th, 2012, 09:20 AM #3
    MarkT85
    MarkT85 is offline Junior Member
    Join Date
    Jun 2012
    Posts
    10

    Default

    Second half of stack trace


    org.springframework.security.access.intercept.Abst ractSecurityInterceptor.beforeInvocation(AbstractS ecurityInterceptor.java:205)
    at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.invoke(FilterSecurityInt erceptor.java:114)
    at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.doFilter(FilterSecurityI nterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 324)
    at org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:113)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 324)
    at org.springframework.security.web.session.SessionMa nagementFilter.doFilter(SessionManagementFilter.ja va:101)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 324)
    at org.springframework.security.web.authentication.An onymousAuthenticationFilter.doFilter(AnonymousAuth enticationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 324)
    at org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter.doFilter(Securit yContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 324)
    at org.springframework.security.web.savedrequest.Requ estCacheAwareFilter.doFilter(RequestCacheAwareFilt er.java:45)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 324)
    at org.springframework.security.web.authentication.http://www.BasicAuthenticationFilter...lter.java:150)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 324)
    at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:182)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 324)
    at org.springframework.security.web.authentication.lo gout.LogoutFilter.doFilter(LogoutFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 324)
    at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 324)
    at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:174)
    at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:259)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:225)
    at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:168)
    at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:98)
    at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:927)
    at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.p rocess(AbstractHttp11Processor.java:1001)
    at org.apache.coyote.AbstractProtocol$AbstractConnect ionHandler.process(AbstractProtocol.java:579)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProce ssor.run(JIoEndpoint.java:312)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run Task(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    DEBUG: org.springframework.security.web.savedrequest.Http SessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/CuttingEdge/Login/Failure]
    DEBUG: org.springframework.security.web.access.ExceptionT ranslationFilter - Calling Authentication entry point.
    DEBUG: org.springframework.security.web.DefaultRedirectSt rategy - Redirecting to 'http://localhost:8080/CuttingEdge/Login'
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    DEBUG: org.springframework.security.web.context.SecurityC ontextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    DEBUG: org.springframework.security.web.util.AntPathReque stMatcher - Checking match of request : '/login'; against '/resources/**'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@ 21c71508. A new one will be created.
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
    DEBUG: org.springframework.security.web.savedrequest.Defa ultSavedRequest - pathInfo: both null (property equals)
    DEBUG: org.springframework.security.web.savedrequest.Defa ultSavedRequest - queryString: both null (property equals)
    DEBUG: org.springframework.security.web.savedrequest.Defa ultSavedRequest - requestURI: arg1=/CuttingEdge/Login/Failure; arg2=/CuttingEdge/Login (property not equals)
    DEBUG: org.springframework.security.web.savedrequest.Http SessionRequestCache - saved request doesn't match
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    DEBUG: org.springframework.security.web.authentication.An onymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.Anony mousAuthenticationToken@6fa843a8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 61B713EBCCB94261161506802889C28D; Granted Authorities: ROLE_ANONYMOUS'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    DEBUG: org.springframework.security.web.util.AntPathReque stMatcher - Checking match of request : '/login'; against '/login'
    DEBUG: org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /Login; Attributes: [permitAll]
    DEBUG: org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.Anonym ousAuthenticationToken@6fa843a8: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@fffd3270: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 61B713EBCCB94261161506802889C28D; Granted Authorities: ROLE_ANONYMOUS
    DEBUG: org.springframework.security.access.vote.Affirmati veBased - Voter: org.springframework.security.web.access.expression .WebExpressionVoter@21e3cc77, returned: 1
    DEBUG: org.springframework.security.web.access.intercept. FilterSecurityInterceptor - Authorization successful
    DEBUG: org.springframework.security.web.access.intercept. FilterSecurityInterceptor - RunAsManager did not change Authentication object
    DEBUG: org.springframework.security.web.FilterChainProxy - /Login reached end of additional filter chain; proceeding with original chain
    DEBUG: org.springframework.security.web.access.ExceptionT ranslationFilter - Chain processed normally
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    DEBUG: org.springframework.security.web.context.SecurityC ontextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    Reply With Quote Reply With Quote
  4. Jul 5th, 2012, 03:43 PM #4
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,833

    Default

    I'm guessing you need to allow anonymous access to "/Login/Failure"
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
  5. Jul 6th, 2012, 02:20 AM #5
    MarkT85
    MarkT85 is offline Junior Member
    Join Date
    Jun 2012
    Posts
    10

    Default

    Fixed! It's so frustrating when hours of hunting are fixed by something so simple, but such is the life of a programmer.

    Thanks
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules