bay1ts bay1ts - 18 days ago 5
Java Question

Spring security4 /login doesn't pass through any filter

The Spring security version I used was 4.0.2.
The main part of Spring-security.xml

<http pattern="/resources/**" security="none" />
<http pattern="/login" security="none"/>
<http auto-config="true" use-expressions="true">
<!-- <intercept-url pattern="/login" access="permitAll" /> -->
<intercept-url pattern="/about" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
<custom-filter ref="ipFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
<remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="dataSource" user-service-ref="customjdbcUserService"/>
<form-login login-page="/login" default-target-url="/"
password-parameter="pwd" />
<logout logout-success-url="/about" />
</http>


When I use

<http pattern="/login" security="none"/>


in file,my application can't work,when i submit my login request,it just response me with the login.jsp view,and the debug info placed there:

22:32:42,905 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/resources/**'
22:32:42,905 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/login'
22:32:42,905 DEBUG FilterChainProxy:200 - /login has an empty filter list
22:32:42,906 DEBUG DispatcherServlet:861 - DispatcherServlet with name 'springmvc' processing POST request for [/login]
22:32:42,907 DEBUG RequestMappingHandlerMapping:294 - Looking up handler method for path /login
22:32:42,908 DEBUG RequestMappingHandlerMapping:299 - Returning handler method [public void com.bay1ts.controller.BaseController.login()]
22:32:42,908 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'baseController'
22:32:42,909 DEBUG DispatcherServlet:1241 - Rendering view [org.springframework.web.servlet.view.JstlView: name 'login'; URL [/WEB-INF/jsps/login.jsp]] in DispatcherServlet with name 'springmvc'
22:32:42,910 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'requestDataValueProcessor'
22:32:42,910 DEBUG JstlView:166 - Forwarding to resource [/WEB-INF/jsps/login.jsp] in InternalResourceView 'login'
22:32:42,919 DEBUG DispatcherServlet:996 - Successfully completed request


But when I use

<intercept-url pattern="/login" access="permitAll" />


like this:

<http pattern="/resources/**" security="none" />
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/about" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
<custom-filter ref="ipFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
<remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="dataSource" user-service-ref="customjdbcUserService"/>
<form-login login-page="/login" default-target-url="/"
password-parameter="pwd" />
<logout logout-success-url="/about" />
</http>


then I can login my application
And this is the debug-info

22:56:22,763 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/resources/**'
22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
22:56:22,770 DEBUG HttpSessionSecurityContextRepository:171 - HttpSession returned null object for SPRING_SECURITY_CONTEXT
22:56:22,770 DEBUG HttpSessionSecurityContextRepository:101 - No SecurityContext was available from the HttpSession: org.eclipse.jetty.server.session.HashedSession:1bf4hxwrtqrdvs3dedd70rh8o@1206903733. A new one will be created.
22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
22:56:22,770 DEBUG FilterChainProxy:324 - /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
22:56:22,771 DEBUG HstsHeaderWriter:128 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@1945827
22:56:22,771 DEBUG FilterChainProxy:324 - /login at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
22:56:22,772 DEBUG FilterChainProxy:324 - /login at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
22:56:22,772 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/logout'
22:56:22,773 DEBUG FilterChainProxy:324 - /login at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
22:56:22,773 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/login'; against '/login'
22:56:22,773 DEBUG UsernamePasswordAuthenticationFilter:211 - Request is to process authentication
22:56:22,774 DEBUG ProviderManager:162 - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
22:56:22,778 DEBUG JdbcTemplate:693 - Executing prepared SQL query
22:56:22,780 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [select username,password,enabled from users where username = ?]
22:56:22,788 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource
22:56:22,862 INFO AbstractPoolBackedDataSource:203 - Initializing c3p0 pool... com.mchange.v2.c3p0.ComboPooledDataSource [ acquireIncrement -> 3, acquireRetryAttempts -> 30, acquireRetryDelay -> 1000, autoCommitOnClose -> false, automaticTestTable -> null, breakAfterAcquireFailure -> false, checkoutTimeout -> 0, connectionCustomizerClassName -> null, connectionTesterClassName -> com.mchange.v2.c3p0.impl.DefaultConnectionTester, contextClassLoaderSource -> caller, dataSourceName -> 1hge1379c1b42a3w17r38ui|3c87fdf2, debugUnreturnedConnectionStackTraces -> false, description -> null, driverClass -> com.mysql.jdbc.Driver, extensions -> {}, factoryClassLocation -> null, forceIgnoreUnresolvedTransactions -> false, forceUseNamedDriverClass -> false, identityToken -> 1hge1379c1b42a3w17r38ui|3c87fdf2, idleConnectionTestPeriod -> 0, initialPoolSize -> 3, jdbcUrl -> jdbc:mysql://localhost:3306/jdbcdaoimpl?characterEncoding=UTF-8, maxAdministrativeTaskTime -> 0, maxConnectionAge -> 0, maxIdleTime -> 0, maxIdleTimeExcessConnections -> 0, maxPoolSize -> 15, maxStatements -> 0, maxStatementsPerConnection -> 0, minPoolSize -> 3, numHelperThreads -> 3, preferredTestQuery -> null, privilegeSpawnedThreads -> false, properties -> {user=******, password=******}, propertyCycle -> 0, statementCacheNumDeferredCloseThreads -> 0, testConnectionOnCheckin -> false, testConnectionOnCheckout -> false, unreturnedConnectionTimeout -> 0, userOverrides -> {}, usesTraditionalReflectiveProxies -> false ]
22:56:22,895 DEBUG MConfig:198 - The configuration file for resource identifier '/mchange-commons.properties' could not be found. Skipping.
java.io.FileNotFoundException: Resource not found at path '/mchange-commons.properties'.
at com.mchange.v2.cfg.BasicPropertiesConfigSource.propertiesFromSource(BasicPropertiesConfigSource.java:64)
at com.mchange.v2.cfg.BasicMultiPropertiesConfig.firstInit(BasicMultiPropertiesConfig.java:185)
at com.mchange.v2.cfg.BasicMultiPropertiesConfig.<init>(BasicMultiPropertiesConfig.java:110)
at com.mchange.v2.cfg.ConfigUtils.read(ConfigUtils.java:63)
at com.mchange.v2.cfg.MConfig$CSManager.recreateFromKey(MConfig.java:153)
at com.mchange.v1.cachedstore.NoCleanupCachedStore.find(NoCleanupCachedStore.java:63)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.mchange.v1.lang.Synchronizer$1.invoke(Synchronizer.java:58)
at com.sun.proxy.$Proxy29.find(Unknown Source)
at com.mchange.v2.cfg.MConfig.readVmConfig(MConfig.java:75)
at com.mchange.v2.cfg.MConfig.readVmConfig(MConfig.java:81)
at com.mchange.v2.resourcepool.BasicResourcePool.<clinit>(BasicResourcePool.java:60)
...
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:695)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:727)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:737)
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:787)
at org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl.loadUsersByUsername(JdbcDaoImpl.java:216)
at org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl.loadUserByUsername(JdbcDaoImpl.java:173)
at org.springframework.security.authentication.dao.DaoAuthenticationProvider.retrieveUser(DaoAuthenticationProvider.java:114)
at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:143)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:93)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:120)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1667)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1667)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1114)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1048)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119)
at org.eclipse.jetty.server.Server.handle(Server.java:517)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:302)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:242)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:245)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572)
at java.lang.Thread.run(Thread.java:745)
22:56:22,992 DEBUG BasicResourcePool:195 - com.mchange.v2.resourcepool.BasicResourcePool@a87512f config: [start -> 3; min -> 3; max -> 15; inc -> 3; num_acq_attempts -> 30; acq_attempt_delay -> 1000; check_idle_resources_delay -> 0; max_resource_age -> 0; max_idle_time -> 0; excess_max_idle_time -> 0; destroy_unreturned_resc_time -> 0; expiration_enforcement_delay -> 0; break_on_acquisition_failure -> false; debug_store_checkout_exceptions -> false]
22:56:22,992 DEBUG C3P0PooledConnectionPoolManager:195 - Created new pool for auth, username (masked): 'ro******'.
22:56:22,992 DEBUG BasicResourcePool:195 - acquire test -- pool size: 0; target_pool_size: 3; desired target? 1
22:56:22,993 DEBUG BasicResourcePool:195 - awaitAvailable(): [unknown]
22:56:23,568 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource
22:56:23,570 DEBUG JdbcTemplate:693 - Executing prepared SQL query
22:56:23,570 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [select username,authority from authorities where username = ?]
22:56:23,571 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource
22:56:23,573 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource
22:56:23,578 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'
22:56:23,578 DEBUG CompositeSessionAuthenticationStrategy:86 - Delegating to org.springframework.security.web.csrf.CsrfAuthenticationStrategy@70540f7b
22:56:23,580 DEBUG CompositeSessionAuthenticationStrategy:86 - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@51ae01da
22:56:23,581 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'
22:56:23,582 DEBUG UsernamePasswordAuthenticationFilter:317 - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER
22:56:23,582 DEBUG PersistentTokenBasedRememberMeServices:147 - Creating new persistent login for user admin
22:56:23,586 DEBUG JdbcTemplate:908 - Executing prepared SQL update
22:56:23,586 DEBUG JdbcTemplate:627 - Executing prepared SQL statement [insert into persistent_logins (username, series, token, last_used) values(?,?,?,?)]
22:56:23,587 DEBUG DataSourceUtils:110 - Fetching JDBC Connection from DataSource
22:56:23,593 DEBUG JdbcTemplate:918 - SQL update affected 1 rows
22:56:23,594 DEBUG DataSourceUtils:327 - Returning JDBC Connection to DataSource
22:56:23,594 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'sqlSessionFactory'
22:56:23,595 DEBUG SavedRequestAwareAuthenticationSuccessHandler:110 - Using default Url: /
22:56:23,595 DEBUG DefaultRedirectStrategy:39 - Redirecting to '/'
22:56:23,595 DEBUG HttpSessionSecurityContextRepository:362 - SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@fec65191: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER' stored to HttpSession: 'org.eclipse.jetty.server.session.HashedSession:m2b22n17auwqwwbhl5t9veiw@1206903733
22:56:23,596 DEBUG SecurityContextPersistenceFilter:105 - SecurityContextHolder now cleared, as request processing completed
22:56:23,598 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/resources/**'
22:56:23,599 DEBUG FilterChainProxy:324 - / at position 1 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
22:56:23,599 DEBUG HttpSessionSecurityContextRepository:192 - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@fec65191: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'
22:56:23,599 DEBUG FilterChainProxy:324 - / at position 2 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
22:56:23,600 DEBUG FilterChainProxy:324 - / at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
22:56:23,600 DEBUG HstsHeaderWriter:128 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@1945827
22:56:23,600 DEBUG FilterChainProxy:324 - / at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
22:56:23,600 DEBUG FilterChainProxy:324 - / at position 5 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
22:56:23,600 DEBUG AntPathRequestMatcher:131 - Request 'GET /' doesn't match 'POST /logout
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 6 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
22:56:23,601 DEBUG AntPathRequestMatcher:131 - Request 'GET /' doesn't match 'POST /login
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 7 of 15 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 8 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 9 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
22:56:23,601 DEBUG FilterChainProxy:324 - / at position 10 of 15 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
22:56:23,602 DEBUG RememberMeAuthenticationFilter:153 - SecurityContextHolder not populated with remember-me token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 11 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
22:56:23,602 DEBUG AnonymousAuthenticationFilter:106 - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 12 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 13 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
22:56:23,602 DEBUG FilterChainProxy:324 - / at position 14 of 15 in additional filter chain; firing Filter: 'IPRoleAuthenticationFilter'
22:56:23,603 DEBUG FilterChainProxy:324 - / at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
22:56:23,603 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/login'
22:56:23,603 DEBUG AntPathRequestMatcher:151 - Checking match of request : '/'; against '/about'
22:56:23,603 DEBUG FilterSecurityInterceptor:218 - Secure object: FilterInvocation: URL: /; Attributes: [hasRole('ROLE_USER')]
22:56:23,603 DEBUG FilterSecurityInterceptor:347 - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fec65191: Principal: org.springframework.security.core.userdetails.User@586034f: Username: admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@166c8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 1bf4hxwrtqrdvs3dedd70rh8o; Granted Authorities: ROLE_ADMIN, ROLE_USER
22:56:23,608 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@71ed560f, returned: 1
22:56:23,608 DEBUG FilterSecurityInterceptor:242 - Authorization successful
22:56:23,608 DEBUG FilterSecurityInterceptor:255 - RunAsManager did not change Authentication object
22:56:23,609 DEBUG FilterChainProxy:309 - / reached end of additional filter chain; proceeding with original chain
22:56:23,609 DEBUG DispatcherServlet:861 - DispatcherServlet with name 'springmvc' processing GET request for [/]
22:56:23,609 DEBUG RequestMappingHandlerMapping:294 - Looking up handler method for path /
22:56:23,610 DEBUG RequestMappingHandlerMapping:299 - Returning handler method [public java.lang.String com.bay1ts.controller.BaseController.index()]
22:56:23,610 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'baseController'
22:56:23,611 DEBUG DispatcherServlet:947 - Last-Modified value for [/] is: -1
22:56:23,612 DEBUG DefaultListableBeanFactory:1616 - Invoking afterPropertiesSet() on bean with name 'index'
22:56:23,612 DEBUG DispatcherServlet:1241 - Rendering view [org.springframework.web.servlet.view.JstlView: name 'index'; URL [/WEB-INF/jsps/index.jsp]] in DispatcherServlet with name 'springmvc'
22:56:23,612 DEBUG DefaultListableBeanFactory:248 - Returning cached instance of singleton bean 'requestDataValueProcessor'
22:56:23,613 DEBUG JstlView:166 - Forwarding to resource [/WEB-INF/jsps/index.jsp] in InternalResourceView 'index'
22:56:23,764 DEBUG DispatcherServlet:996 - Successfully completed request
22:56:23,764 DEBUG ExceptionTranslationFilter:116 - Chain processed normally
22:56:23,765 DEBUG SecurityContextPersistenceFilter:105 - SecurityContextHolder now cleared, as request processing completed


But why?

Answer

In general using security="none" is not recommended. This instructs Spring Security to completely ignore specific requests.

One consequence of using security="none" is that when you submit a username and password to be validated, Spring Security's UsernamePasswordAuthenticationFilter will not process it.

Another consequence of using security="none" is that other types of Security are no longer in place. For example, no Security HTTP Response headers will be added.

When you use permitAll that instructs Spring Security to allow anyone to access the URL, but Spring Security will still process the URL. This means the URL is still used when processing submitted username / password. It also means that other types of security (i.e. Security HTTP Response headers) will be available for that URL.

Configuration Cleanup

There is some additional configuration cleanup that you could/should do. For example, each <intercept-url> is considered in order and only the first is used. This means that the following:

    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/about" access="permitAll" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    <intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
    <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>

will never reach the rules for /user/* or /admin/* since /** matches everything and is listed before them.

Instead, you should order the rules in order from most specific to most general. For example:

    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/about" access="permitAll" />
    <intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
    <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

You can also clean up some of your configuration. For example, in Spring Security 4+ expressions="true" is enabled by default (so you do not need to specify it). Another example is that in Spring Security 4+ you no longer need to provide the ROLE_ for hasRole. This means you can update your configuration to look like:

 <http auto-config="true">
    <intercept-url pattern="/resources/**" access="permitAll" />
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/about" access="permitAll" />
    <intercept-url pattern="/user/*" access="hasRole('USER')" />
    <intercept-url pattern="/admin/*" access="hasRole('ADMIN')"/>
    <intercept-url pattern="/**" access="hasRole('USER')" />
    <custom-filter ref="ipFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
    <remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="dataSource" user-service-ref="customjdbcUserService"/>
    <form-login login-page="/login" default-target-url="/"
        password-parameter="pwd" />
    <logout logout-success-url="/about" />
</http>

It might be worth mentioning that /user/* will match on /user/123, but not match on /user/profile/123. For that reason, you may consider changing your pattern to be /user/**

Comments