1

i am having problems with spring security and displaying error messages

here is what i have in my root-context.xml

 `<context:property-placeholder location="classpath:config.properties" /> 
 <!-- Register the Customer.properties -->
 <bean id="messageSource"
 class="org.springframework.context.support.ResourceBundleMessageSource">
 <property name="basename" value="mymessages" />
 </bean>
<security:http auto-config='true'>
<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-URL pattern="/**" access="ROLE_USER" />
<security:form-login login-page='/login' default-target-url="/" 
 authentication-failure-URL="/loginfailed"/>
<security:logout logout-success-url="/" logout-URL="/j_spring_security_logout" /> 
</security:http>
<security:authentication-manager> 
<security:authentication-provider>
<security:user-service>
<security:user name="billy" password="123456" authorities="ROLE_USER" /> 
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>`

and in my web.xml is

<filter>
 <filter-name>springSecurityFilterChain</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter>
<filter-mapping>
 <filter-name>springSecurityFilterChain</filter-name>
 <URL-pattern>/*</URL-pattern>
</filter-mapping>
<filter>
 <filter-name>springSecurityFilterChain</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

and my .jsp is

<body>
 <%@ include file="include/login1.jsp"%>
 <c:if test="${not empty error}">
 <div class="errorblock">Your login attempt was not successful, try again.<br/> Caused :
 </div>
 </c:if>
</body>
</html>

when i login with wrong user credentials the first time it just reloads the login page. then if i login with the correct login credentials it will the load login with the text "Your login attempt was not successful, try again. Caused :" but no spring message saying bad credentials after cause : any help on this matter is much appreciated

asked Dec 5, 2013 at 16:14
2
  • Sry for my prev comment, I pasted the wrong thing. What I mean to say was why does your web.xml have the springSecurityFilterChain defined twice? Commented Dec 5, 2013 at 20:20
  • Hey, thanx for the reply. the filter duplication was just a copy past error. it is not like this in my actual code(First time posting :-/) Commented Dec 6, 2013 at 9:45

2 Answers 2

2

It looks like your authentication failed URL requires authentication.

<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-URL pattern="/**" access="ROLE_USER"/>

This configuration will only allow unauthenticated people to get to the /login page, but not the /loginfailed page. Try changing the login intercept-url's to:

<security:intercept-URL pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-URL pattern="/**" access="ROLE_USER"/>

Alternately, you could just add another intercept url that specifically calls out the /loginfailed url.

What's probably happening is that the first time you try to login, it's redirecting you to the login failed page "/loginfailed", which causes another redirect back to the login page due to the authentication failure. Then, when you correctly login, it redirects you back to the "/loginfailed" page because that was the original request before the login redirect.

There's another parameter you can use that will always send you to the default-taget... 

<form-login login-page='/login' default-target-url='/'
 authentication-failure-url="/loginfailed" always-use-default-target='true' />

Give that a shot and see if it works.

Edit: Here's a complete example of a security setup. In this setup, I'm using additional http declarations instead of additional intercept-url's. My login.jsp changes its content based on the login_error parameter (eg. login_error=1 makes it put up a message saying 'username or password was incorrect' and login_error=2 makes it put up a message saying that the session has timed out and to please login again).

<!-- No security on js,css,image and other static resources -->
<http pattern="/resources/**" security="none" />
<!-- No security on error pages -->
<http pattern="/error/**" security="none" />
<!-- No security on pages starting with login -->
<http pattern="/login*" security="none" />
<http auto-config='true'>
 <!-- Everything else requires ROLE_USER -->
 <intercept-url pattern="/**" access="ROLE_USER" /> 
 <access-denied-handler error-page="/error/403"/>
 <!-- Custom login page -->
 <form-login login-page='/login' default-target-url='/'
 authentication-failure-url="/login?login_error=1"
 always-use-default-target='false' />
 <!-- Allow user to stay logged in -->
 <remember-me />
 <!-- Custom logout page and remove the session id cookie -->
 <logout logout-url='/logout' delete-cookies="JSESSIONID"/>
 <session-management>
 <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
 </session-management>
 <!-- Custom session timeout page -->
 <session-management invalid-session-url="/login?login_error=2" />
</http>
answered Dec 5, 2013 at 19:51
Sign up to request clarification or add additional context in comments.

2 Comments

Hi @reblace, so are you saying to remove the intercept with the access="ROLL-USER"??. It may also be worth noting that my login controller requestMapping is requesting /loginfailed it sets error to true and returning login.jsp which should now show an error div. @RequestMapping(value = "/loginfailed", method = RequestMethod.GET) public String home2(Model model) { model.addAttribute("error", "true"); return "login"; }
Nope, sorry I wasn't suggesting you remove the second one. Just that you need to change 'login' to 'login*' so that both /login and /loginfailed can be accessed anonymously. (You could also add another intercept URL right after the login one that explicitly sets /loginfailed to not require authentication). If someone's login fails, they are still anonymous and so the page you want them to be redirected to needs to be visible to anonymous users. I'll update the post with more detail about how I typically set my login form up when I'm back at my computer.
0

Remove this line and try

<security:intercept-URL pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />

and 

 auto-config='true'

it is only required when you configure services manually. may be work

answered Feb 5, 2015 at 8:50

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.