Infinite loop using Spring Security - Login page is protected even though it should allow anonymous

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Tai Squared on Stack Overflow See other posts from Stack Overflow or by Tai Squared
Published on 2010-01-06T01:46:43Z Indexed on 2010/03/29 12:03 UTC
Read the original article Hit count: 529

Filed under:
|
|
|

I have a Spring application (Spring version 2.5.6.SEC01, Spring Security version 2.0.5) with the following setup:

web.xml

<welcome-file-list>
  <welcome-file>
    index.jsp
  </welcome-file>
</welcome-file-list>

The index.jsp page is in the WebContent directory and simply contains a redirect:

<c:redirect url="/login.htm"/>

In the appname-servlet.xml, there is a view resolver to point to the jsp pages in WEB-INF/jsp

<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
  <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
  <property name="prefix" value="/WEB-INF/jsp/" />
  <property name="suffix" value=".jsp" />
</bean>

In the security-config.xml file, I have the following configuration:

<http>
  <!-- Restrict URLs based on role -->
  <intercept-url pattern="/WEB-INF/jsp/login.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/header.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/footer.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" />

  <intercept-url pattern="/css/**" filters="none" />
  <intercept-url pattern="/images/**" filters="none" />
  <intercept-url pattern="/**" access="ROLE_ANONYMOUS" />

  <form-login login-page="/login.jsp"/>
</http>

<authentication-provider>
    <jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>

However, I can't even navigate to the login page and get the following error in the log:

WARNING: The login page is being protected by the filter chain, but you don't appear to have anonymous authentication enabled. This is almost certainly an error.

I've tried changing the ROLE_ANONYMOUS to IS_AUTHENTICATED_ANONYMOUSLY, changing the login-page to index.jsp, login.htm, and adding different intercept-url values, but I can't get it so the login page is accesible and security applies to the other pages. What do I have to change to avoid this loop?

© Stack Overflow or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about spring

Related posts about spring-security

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle