Configuration problem with simple login app

[override]

Hi all,

I am completely new to Spring and Spring Security, but I have to learn it for my bachelor thesis.
So far I have created a simple login application with a custom login page. When login is successful, a page with 2 frames should be displayed. Login seems to work, but I get 404 errors when the page should be displayed, saying that the 2 sub-pages (for the 2 frames) are not available (I have placed them in a sub folder "jsp" of WEB-INF, the strange thing is, if I place them directly into WebContent, it works)
Maybe someone could help me in configuring the .xml files properly, I think there is the mistake.

web.xml:

HTML Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	id="WebApp_ID" version="2.5">
	<display-name>Spring3MVC</display-name>
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
      /WEB-INF/applicationContext.xml
      /WEB-INF/applicationContext-security.xml
    </param-value>
	</context-param>

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>
		<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>


	<welcome-file-list>
		<welcome-file>login.jsp</welcome-file>
	</welcome-file-list>

	<servlet>
		<servlet-name>spring</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>spring</servlet-name>
		<url-pattern>*.html</url-pattern>
	</servlet-mapping>
</web-app>

spring-servlet.xml

HTML Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:p="http://www.springframework.org/schema/p"
	xmlns:context="http://www.springframework.org/schema/context"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/context
		http://www.springframework.org/schema/context/spring-context-3.0.xsd">

<!-- 
	<context:component-scan
		base-package="webtest" />
		-->

	<bean id="viewResolver"
		class="org.springframework.web.servlet.view.UrlBasedViewResolver">
		<property name="viewClass"
			value="org.springframework.web.servlet.view.JstlView" />
		<property name="prefix" value="/WEB-INF/jsp" />
		<property name="suffix" value=".jsp" />
	</bean>
</beans>

applicationContext-security.xml

HTML Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

http://www.springframework.org/schema/security

http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

	<global-method-security secured-annotations="enabled">
	</global-method-security>

	<http auto-config='true'>
		<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/home.jsp" access="ROLE_USER" />
		<intercept-url pattern="/**" access="ROLE_USER" />
		<form-login login-page="/login.jsp" default-target-url="/home.jsp" />
		<logout/>
	</http>

	<authentication-manager>
	<authentication-provider>
		<user-service>
			<user name="jimi" password="jimispassword" authorities="ROLE_USER" />
			<user name="bob" password="bobspassword" authorities="ROLE_USER" />
		</user-service>
	</authentication-provider>
	</authentication-manager>


</beans:beans>

home.jsp (page which is displayed after login successful):

HTML Code:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix='c' uri='http://java.sun.com/jstl/core_rt' %>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
   "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<title>Demo</title>
</head>
<frameset cols="200, *"> 
  <frame src="/jsp/nav.html" name="nav"> 
  <frame src="/jsp/main.html">
  <noframes>
    <body>
   
    </body>
  </noframes>
</frameset>
</html>

If you need more details, please ask.

Thanks,

Override

[Marten Deinum]

Why is this security related?!

The 2 frames are request by the browser and by the server. So they should be publicly accessible (/WEB-INF isn't!). On the other hand that isn't what you want, change the urls to be views to be returned by the dispatcherservlet (you can use a UrlFilenameViewController for this).

[override]

why should the frames be public? they should be visible only when logged in. now i've written a controller which returns the view when a GET-request for the frames is done, but it does not work, the methods are not called the default-target page after login works (it is located in WebContent, and in Eclipse it already displays the format of the 2 frames, but in each of it it shows a 404 error..)
maybe you can explain quickly how to do this, i'm sorry i'm new to spring..

Code:

package ctrl;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class LoginController {

    @RequestMapping(value = "/nav.html", method = RequestMethod.GET)
    public ModelAndView showNavFrame() {
	return new ModelAndView("nav");
    }
    
    @RequestMapping(value = "/main.html", method = RequestMethod.GET)
    public ModelAndView showMainFrame() {
	return new ModelAndView("main");
    }
}

thanks

[Marten Deinum]

PUblic as in publicly accessible because they are directly accessed by the browser, so they shouldn't be in WEB-INF... I already gave you the solution in the previous post.

The 2 frames are request by the browser and by the server. So they should be publicly accessible (/WEB-INF isn't!). On the other hand that isn't what you want, change the urls to be views to be returned by the dispatcherservlet (you can use a UrlFilenameViewController for this).