problem rendering login.html on WAS 6.1.0.33

[amit.agar]

I am using spring mvc 2.5.6 and spring security 2.0.6 in our application. On my local WAS 6.1.0.19, application is working fine. When i deploy on test server which is WAS 6.1.0.33, my custom login page throws following error

Error Message:JSPG0036E: Failed to find resource /login.html

Root Cause:java.io.FileNotFoundException: JSPG0036E: Failed to find resource /login.html at com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensio nProcessor.findWrapper(AbstractJSPExtensionProcess or.java:329) at com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensio nProcessor.handleRequest(AbstractJSPExtensionProce ssor.java:291) at com.ibm.ws.webcontainer.webapp.WebAppRequestDispat cher.forward(WebAppRequestDispatcher.java:321) at org.springframework.web.servlet.view.InternalResou rceView.renderMergedOutputModel(InternalResourceVi ew.java:236) at org.springframework.web.servlet.view.AbstractView. render(AbstractView.java:257) at org.springframework.web.servlet.DispatcherServlet. render(DispatcherServlet.java:1183) at org.springframework.web.servlet.DispatcherServlet. doDispatch(DispatcherServlet.java:902) at org.springframework.web.servlet.DispatcherServlet. doService(DispatcherServlet.java:807) at org.springframework.web.servlet.FrameworkServlet.p rocessRequest(FrameworkServlet.java:571) at org.springframework.web.servlet.FrameworkServlet.d oGet(FrameworkServlet.java:501)

This page don't throw error in case spring security is not used.

Please find below my configuration
web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Spring security context xml
<http access-denied-page="/authorization_failure.html" access-decision-manager-ref="accessDecisionManager">

<intercept-url pattern="/css/**" filters="none"/>
<intercept-url pattern="/js/**" filters="none"/>
<intercept-url pattern="/images/**" filters="none"/>
<intercept-url pattern="/login.jsp*" filters="none"/>
<intercept-url pattern="/login.html" filters="none"/>
<form-login login-page="/login.html" authentication-failure-url="/login.html?login_error=true" default-target-url="/landing_page.html" />
<http-basic/>
<logout logout-success-url="/login.html"/>
</http>

Spring mvc servlet xml
<bean name="/login.html" class="com.tnt.cna.controller.LoginController" >

[Rob Winch]

When you changed WAS versions did anything else change? In particular did you change your Spring Security version? You may be running into this issue. You can test by TEMPORARILY reverting back to Spring Security 2.0.5. Make sure you do not use 2.0.5 in production as there is a vulnerability in it.

[amit.agar]

Thanks R. Winch for quick reply.

No we have not changed anything while moving to test WAS server. Everything is same. Sure i will try with spring 2.0.5, but as you mentioned it is not recommended version for production, please let us know the version which we can use along with spring 2.5.6.

[Rob Winch]

Another couple things: Do you see any errors at start up? Does the error occur if you disable Spring Security? If the error goes away when removing Spring Security, re-enable it and then can you enable logging for Spring Security and post the logs?

[amit.agar]

Rob, I have changed spring security version to 2.0.5 and it worked. I believe problem mentioned by you is creating problem. I will try to implement workaround suggested by Luke against that defect. Please confirm if there is any venerability issue with version 2.0.6.

Thanks for your great suggestion !!

[Rob Winch]

Rob, I have changed spring security version to 2.0.5 and it worked. I believe problem mentioned by you is creating problem. I will try to implement workaround suggested by Luke against that defect. Please confirm if there is any venerability issue with version 2.0.6.

Thanks for your great suggestion !!

I'm curious why it worked on the previous version of WAS. The version 2.0.6 does not have the vulnerability I referenced. You will also want to see the linked related issue in the event you are performing a forward w/in the FilterChain and getting a 404.