SPRING SECURITY displaying 'Bad Credentials' error on the login page

[marcKun]

Hello guys,

I am relatively new to SPRING framework and SPRING - Security. I tried to implement my own tiny web application using SPRING - Security. As far as I can remember I have tried using SPRING Security before (I dont know what version) and the web application is correct, at least on the security side.

Now, I tried to recreate it using SPRING SECURITY 2.0.4 release. The security is functioning correctly, except for one, whenever I tried to access the web application using 'Bad Credential' (eg: blank or non-existent username and password), the error is not displayed on the login page. What happened is the page is merely redirected to 'index.jsp?error=true' which is correct. (index.jsp is my login page).

Below is my index.jsp.

PHP Code:

<%@ include file="/common/taglib.jsp"%>
  
<html>  
  <head>  
    <title>Goldenway International INC: Login</title>  
  </head> 
  <link rel="stylesheet" type="text/css" media="all" href="<c:url value='/css/general_theme.css'/>" />
  <link rel="stylesheet" type="text/css" media="all" href="<c:url value='/css/header.css'/>" />
  <link rel="stylesheet" type="text/css" media="all" href="<c:url value='/css/login.css'/>" />
 <body>
 
     <!-- HEADER IMAGE -->
    <div id="headercomponents">
        <img id="header-image" src="<c:url value='/img/header.jpg'/>"/>
    </div>

    <!-- ERROR MESSAGE IF ANY -->
    <c:if test="${param.error != null}">
        <div id="error">  
            Your login attempt was not successful, try again.<br/> 
            Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.  
        </div>  
    </c:if>  
      <div id="login">
    <form name="f" action="<c:url value='j_spring_security_check'/>" method="POST">  
      <table>  
        <tr><td>User:</td><td><input type='text' name='j_username' style="width: 100%;" value='<c:if test="${not empty param.error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/></td></tr>  
        <tr><td>Password:</td><td><input type='password' name='j_password' style="width: 100%;"></td></tr>  
        <tr><td colspan="2"><input type="checkbox" name="_spring_security_remember_me"> &nbsp; &nbsp; Don't ask for my password for two weeks</td></tr>  
  
        <tr><td colspan="2" style="text-align: center;"><input name="submit" type="submit" value="Submit">  &nbsp; &nbsp; <input name="reset" type="reset"></td></tr>  
      </table>  
    </form>
    </div>
  </body>  
</html> 


Here is my security.xml:

PHP Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
              
  <http auto-config="true" session-fixation-protection="none" access-decision-manager-ref="accessDecisionManager"
   access-denied-page="/accessDenied.jsp" >
     <!-- <intercept-url pattern="/index.jsp" access="ANONYMOUS" /> -->
     <intercept-url pattern="/jsp/*.htm" access="USER,ADMIN,SUPER"/>
     <intercept-url pattern="/jsp/admin/*.htm" access="ADMIN,SUPER" />
     <intercept-url pattern="/jsp/secured/*.htm" access="SUPER" />
     <form-login authentication-failure-url="/index.jsp?error=true"
     login-page="/index.jsp" login-processing-url="/j_spring_security_check" default-target-url="/jsp/home.jsp" />
     <logout invalidate-session="true" logout-url="/j_spring_security_logout" logout-success-url="/index.jsp" />
     <remember-me token-validity-seconds="604800" data-source-ref="dataSource" />
  </http>
  
  <authentication-provider>
    <jdbc-user-service data-source-ref="dataSource" 
      users-by-username-query="select username, password, enable from EMPLOYEE where username = ? " 
      authorities-by-username-query="select username, role from EMPLOYEE where username = ? " />
  </authentication-provider>
         
  <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased" >
    <beans:property name="decisionVoters">
      <beans:bean class="org.springframework.security.vote.RoleVoter">
        <beans:property name="rolePrefix" value=""/>
        </beans:bean>
    </beans:property>
  </beans:bean>               
</beans:beans>

My applicationContext.xml

PHP Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jee="http://www.springframework.org/schema/jee"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
            http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.0.xsd">

  <!-- dataSource for SPRING-SECURITY -->
  <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close" >
    <property name="driverClassName" value="com.mysql.jdbc.Driver" />
    <property name="url" 
      value="jdbc:mysql://localhost/goldenway_employee?createDatabaseIfNotExist=true&amp;useUnicode=true&amp;characterEncoding=utf-8" />
    <property name="username" value="root" />
    <property name="password" value="root" />
    <property name="maxActive" value="1000" />
    <property name="maxWait" value="1000" />
    <property name="maxIdle" value="50" />
    <property name="poolPreparedStatements" value="true" />
    <property name="defaultAutoCommit" value="true" />
    <property name="timeBetweenEvictionRunsMillis" value="1800000" />
    <property name="validationQuery" value="select 1 from dual" />
  </bean>

</beans>

and my web.xml:

PHP Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" 
    xmlns="http://java.sun.com/xml/ns/javaee" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
    http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    
  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
      WEB-INF/applicationContext.xml
      WEB-INF/security.xml
    </param-value>
  </context-param>
  
  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  
  <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>
</web-app>

Well that's pretty much my web application environment setup. I used Tomcat 5.5, SPRING SECURITY 2.0.4, MySQL 5, and tell me what more you want...

Please guys, this is just my personal project but I cant be at ease if I cant solve this one. I know I just forgot to do something.. Please guys enligthen me..

I also have checked this post:

http://forum.springsource.org/showthread.php?p=249968

For some reason, the console log stated here is similar to what I've got, the HttpSession returned null object for SPRING_SECURITY_CONTEXT.. Maybe this is related.. or not..

thanks guys.

-marckun

[marcKun]

Hello guys,

any feedback please??

as i've said earlier, the page is merely redirected to index.jsp?error=true page but the error messages are not displayed on the index.jsp error page, on index.jsp i have this part:

PHP Code:

//my header.jsp here

<c:if test="${param.error != null}">
        <div id="error">  
            Your login attempt was not successful, try again.<br/> 
            Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.  
        </div>  
</c:if>  

//the login form div is here 


and in the login form, in the username and password textbox i have these:

PHP Code:


//form declaration here

<tr>
  <td>User:</td>
  <td>
     <input 
        type='text' 
        name='j_username' 
        style="width: 100%;" 
        value='<c:if test="${not empty param.error}">
            <c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>'/>
  </td>
</tr>  
<tr>
  <td>Password:</td>
  <td><input type='password' name='j_password' style="width: 100%;"></td>
</tr>

//form button and end tag here 


as you can see, in my textfields, I have tried to not clear the field if ever there is an error, but the fields are cleared..

Might you have any idea regarding what's happening?

thanks really..

-marckun

[mpr]

Hi marckun,

in my trial application I can only reproduce your problem when I do not allow a session to be created.

In this case I see the text "Your login attempt ..." after an unsuccessful login, but not the reason and the last entered username because there is no session to store SPRING_SECURITY_LAST_EXCEPTION.

You have published your index.jsp, but it also includes the file /common/taglib.jsp.
Do you use

Code:

%@ page session="false" %>

in this file ?
This could explain your problem.

Martin

[marcKun]

Hi marckun,

in my trial application I can only reproduce your problem when I do not allow a session to be created.

In this case I see the text "Your login attempt ..." after an unsuccessful login, but not the reason and the last entered username because there is no session to store SPRING_SECURITY_LAST_EXCEPTION.

You have published your index.jsp, but it also includes the file /common/taglib.jsp.
Do you use

Code:

%@ page session="false" %>

in this file ?
This could explain your problem.

Martin

Hello,

This is my taglib.jsp. I didnt put <%@ page session = "false" %> in it.

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" errorPage="/404.jsp" %>
<%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
<%@ taglib uri="http://www.springframework.org/security/tags" prefix="security" %>

<c:set var="ctx" value="${pageContext.request.contextPath}"/> 


In my console I have these logs:

PHP Code:

09:16:34,140 DEBUG XmlWebApplicationContext:272 - Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@f39b3a]: org.springframework.security.event.authentication.AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.providers.UsernamePasswordAuthenticationToken@c147d212: Principal: sdfsfsdf; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.ui.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F14EF0C8A055A47432621FC5302D636F; Not granted any authorities]
09:16:34,141 DEBUG AuthenticationProcessingFilter:405 - Updated SecurityContextHolder to contain null Authentication
09:16:34,142 DEBUG AuthenticationProcessingFilter:411 - Authentication request failed: org.springframework.security.BadCredentialsException: Bad credentials
09:16:34,143 DEBUG PersistentTokenBasedRememberMeServices:187 - Interactive login attempt was unsuccessful.
09:16:34,143 DEBUG PersistentTokenBasedRememberMeServices:273 - Cancelling cookie
09:16:34,145 DEBUG HttpSessionContextIntegrationFilter:255 - SecurityContextHolder now cleared, as request processing completed
09:16:34,149 DEBUG FilterChainProxy:205 - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
09:16:34,149 DEBUG FilterChainProxy:212 - Candidate is: '/index.jsp'; pattern is /index.jsp; matched=true
09:16:34,149 DEBUG FilterChainProxy:165 -  has an empty filter list
09:16:34,149 DEBUG JspServlet:248 - JspEngine --> /index.jsp
09:16:34,150 DEBUG JspServlet:249 -          ServletPath: /index.jsp
09:16:34,150 DEBUG JspServlet:250 -             PathInfo: null
09:16:34,150 DEBUG JspServlet:251 -             RealPath: C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\project\index.jsp
09:16:34,150 DEBUG JspServlet:252 -           RequestURI: /project/index.jsp
09:16:34,150 DEBUG JspServlet:253 -          QueryString: error=true
09:16:34,150 DEBUG JspServlet:254 -       Request Params: 
09:16:34,151 DEBUG JspServlet:258 -          error = true
09:17:21,441 DEBUG ManagerBase:677 - Start expire sessions StandardManager at 1247534241441 sessioncount 1
09:17:21,441 DEBUG ManagerBase:685 - End expire sessions StandardManager processingTime 0 expired sessions: 0
09:18:21,468 DEBUG ManagerBase:677 - Start expire sessions StandardManager at 1247534301468 sessioncount 1
09:18:21,469 DEBUG ManagerBase:685 - End expire sessions StandardManager processingTime 1 expired sessions: 0 


09:16:34,140 DEBUG XmlWebApplicationContext:272 - Publishing event in context [org.springframework.web.context.support.XmlWebAppl icationContext@f39b3a]: org.springframework.security.event.authentication. AuthenticationFailureBadCredentialsEvent[source=org.springframework.security.providers.User namePasswordAuthenticationToken@c147d212: Principal: sdfsfsdf; Password: [PROTECTED]; Authenticated: false; Details: org.springframework.security.ui.WebAuthenticationD etails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F14EF0C8A055A47432621FC5302D636F; Not granted any authorities]
09:16:34,141 DEBUG AuthenticationProcessingFilter:405 - Updated SecurityContextHolder to contain null Authentication
09:16:34,142 DEBUG AuthenticationProcessingFilter:411 - Authentication request failed: org.springframework.security.BadCredentialsExceptio n: Bad credentials
09:16:34,143 DEBUG PersistentTokenBasedRememberMeServices:187 - Interactive login attempt was unsuccessful.
09:16:34,143 DEBUG PersistentTokenBasedRememberMeServices:273 - Cancelling cookie
09:16:34,145 DEBUG HttpSessionContextIntegrationFilter:255 - SecurityContextHolder now cleared, as request processing completed

ohh and btw. i tried to put <c:out value="${param.error}" /> and <c:out value="${params.error}" /> to print the parameter of index.jsp?error=true in the page. all i get is the string "param.error" and "params.error" printed on the screen, not the value of "error" which is "true". I dont know if i am doing it right..

-marckun

[marcKun]

OK guys, iv been trying to solve this issue for ages already, iv recreated projects 6 times and configure spring security ground up 6 times already, and still i have the same behaviour.. even the project which i have created before doesn't seem to work already. the only difference with it to the previous set up is that the previous set-up i used tomcat 6, and now i am using tomcat 5. i dont know if spring security has issues with tomcat 5, but my project app works with tomcat 6. hmmm but i really can not tell since i am new to this framework..

will anyways, what i did is instead of:

PHP Code:

.............
<c:if test="${param.error != null}" >
Error: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
</c:if>
............. 


i did this

PHP Code:

............
<% if(request.getParameter(error) != null) { %>
Error: Invalid username - password.
<% } %>
............ 


i know this is not optimal, but since my spring security detects a valid login credential against a not valid login credential (the only problem is that i cant seem to display the SPRING_SECURITY_LAST_EXCEPTION.message, and strangely enough <c:if text="${param.error !=null}" /> doesnt do anything, and <c:out value="${error}" /> doesnt print the value of parameter error but the "error" string itself) i can at least do this.

if you find out something guys will u mind posting me a reply??

thanks

-marckun

[mpr]

i tried to put <c:out value="${param.error}" /> and <c:out value="${params.error}" /> to print the parameter of index.jsp?error=true in the page. all i get is the string "param.error" and "params.error" printed on the screen, not the value of "error" which is "true".

It seems that your Expression Language ist not working and you are using the URL

Code:

<%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>

which is used for the scriptlet-based variant of JSTL 1.0. As far as I know this library does not allow the Expression Language inside a Tag.

Please try to replace the JSTL 1.0 library with the JSTL 1.2 library which is using the URL

Code:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

Martin

[marcKun]

It seems that your Expression Language ist not working and you are using the URL

Code:

<%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>

which is used for the scriptlet-based variant of JSTL 1.0. As far as I know this library does not allow the Expression Language inside a Tag.

Please try to replace the JSTL 1.0 library with the JSTL 1.2 library which is using the URL

Code:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

Martin

Yeah, i already tried that one. But the same behaviour: <c:out value="${error}" /> prints the "error" string, not the value of error parameter in index.jsp?error=true or index.jsp?error=1

-marckun

[mpr]

Yeah, i already tried that one. But the same behaviour:

Did you also change the library files ? Or in other words, are you sure that your project is using the tag library 1.2 ?

Martin