2

I am using Spring Security 3.2.3.RELEASE on top of Spring 3.2.7.RELEASE.

Basically, I cannot escape the login page. After logging in, the system starts to redirect back to the original page before Spring Security intercepted it, but then gets redirected back to the login page.

my spring security context looks like this:

<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xmlns:context="http://www.springframework.org/schema/context"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="
  http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
   http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
  http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

<global-method-security secured-annotations="enabled" authentication-manager-ref="xxxAuthenticationManager" proxy-target-class="true"/>

<http create-session="stateless" authentication-manager-ref="xxxAuthenticationManager">
    <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/boot" access="ROLE_AUTHORISED" />

    <form-login
       login-page='/login'
       default-target-url="/boot"
       authentication-failure-url="/login?error=true"
       always-use-default-target="true" />

    <logout logout-success-url="/login" />
</http>
<context:component-scan base-package="com.touchcorp.xxxxx.security" />

I am using Jersey for my REST-based controllers, for which I have two the basic home page:

@Path("/boot")
@Named
@Component
@Produces(MediaType.TEXT_HTML)
public class BootstrapResource {

    private static final Logger LOG = LoggerFactory.getLogger(BootstrapResource.class);

    private ClientDao dao;

    public BootstrapResource() {
    }

    public BootstrapResource(ClientDao dao) {
        this.dao = dao;
    }

    @GET
    public BootstrapView doLaunch(@Context HttpServletRequest request) {
         LOG.debug("in the bootstrap, user (from spring):" + request.getUserPrincipal().getName() +
            ", user (from request):" + request.getParameter("j_username"));

    return new BootstrapView(new Bootstrap("myname"));
}

public class BootstrapView extends View {
    private final Bootstrap boot;

    public BootstrapView(Bootstrap boot) {
        super("/index.mustache");
        this.boot = boot;
    }

    public Bootstrap getPerson() {
        return boot;
    }
}

public class Bootstrap {
    private String name;

    public Bootstrap() {
    }

    public Bootstrap(String name) {
        this.name = name;
    }
}

and the login controller:

@Path("/login")
@Named
@Component
@Produces(MediaType.TEXT_HTML)
public class LoginResource {

    private static final Logger LOG = LoggerFactory.getLogger(LoginResource.class);

    @GET
    public View home(@Context HttpServletRequest req) {
        LOG.debug("presenting login");
        SecurityContextHolder.getContext().setAuthentication(null);
        return new LoginView();
    }

    public class LoginView extends View {
        public LoginView() {
            super("/login.mustache");
        }
    }
}

The authentication manger shown in the configuration is as follows:

public Authentication authenticate(Authentication authentication) throws AuthenticationException {

String user = String.valueOf(authentication.getName());
String password = String.valueOf(authentication.getCredentials());
LOG.debug("1. authenticating user {} and password {}", authentication.getName(), authentication.getCredentials());

if (!privs.containsKey(user) || !"p".equals(password)) {
    LOG.error("access denied to user {}", user);
    throw new BadCredentialsException("Access denied.");
}

//return authentication token + set roles in context
Authentication auth = new     UsernamePasswordAuthenticationToken(authentication.getPrincipal(),
            authentication.getCredentials(), privs.get(user));
LOG.debug("2. authenticating user {} and password {}", auth.getName(), auth.getCredentials());
SecurityContextHolder.getContext().setAuthentication(auth);
return auth;
}

see below for what the console is showing:

So what's going on? why can't I escape the login?

Thanks for your replies.

OK so more info.

I have attached the login form (see below), and I turned up the logging on the spring security framework, and I have annotated that logging to assist in its analysis (also see below, sorry about the length).

  1. first the form... Login Page

    Login

    <h3>Login to Touchpoint with Username and Password</h3>

{{#error}}
    <div class="error">{{error}}</div>
{{/error}}
{{#msg}}
    <div class="msg">{{msg}}</div>
{{/msg}}

<form name='loginForm'
  action="j_spring_security_check" method='POST'>

  <table>
    <tr>
        <td>User:</td>
        <td><input type='text' name='j_username' value=''></td>
    </tr>
    <tr>
        <td>Password:</td>
        <td><input type='password' name='j_password' /></td>
    </tr>
    <tr>
        <td colspan='2'><input name="submit" type="submit"
            value="submit" /></td>
    </tr>
  </table>


</form>

...and now the log

Initial request /boot

DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 2 of 8 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 3 of 8 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 4 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 5 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [t] o.s.s.web.authentication.AnonymousAuthenticationFilter: Populated SecurityContextHolder with anonymous token: 'o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [t] o.s.s.web.util.matcher.AntPathRequestMatcher: Checking match of request : '/boot'; against '/login'
DEBUG [t] o.s.s.web.util.matcher.AntPathRequestMatcher: Checking match of request : '/boot'; against '/boot'
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /boot; Attributes: [ROLE_AUTHORISED]
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Previously Authenticated: o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.RoleVoter@4e406694, returned: -1
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.AuthenticatedVoter@5ab9b447, returned: 0
DEBUG [t] o.s.s.web.access.ExceptionTranslationFilter: Access is denied (user is anonymous); redirecting to authentication entry point
! o.s.s.access.AccessDeniedException: Access is denied
<snip>
DEBUG [t] o.s.s.web.access.ExceptionTranslationFilter: Calling Authentication entry point.

boot didn't work, so redirect to login

DEBUG [t] o.s.s.web.DefaultRedirectStrategy: Redirecting to 'http://localhost:8090/login'
DEBUG [t] o.s.s.web.context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 2 of 8 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 3 of 8 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 4 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 5 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [t] o.s.s.web.authentication.AnonymousAuthenticationFilter: Populated SecurityContextHolder with anonymous token: 'o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [t] o.s.s.web.util.matcher.AntPathRequestMatcher: Checking match of request : '/login'; against '/login'
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /login; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Previously Authenticated: o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.RoleVoter@4e406694, returned: 0
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.AuthenticatedVoter@5ab9b447, returned: 1
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Authorization successful
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: RunAsManager did not change Authentication object
DEBUG [t] o.s.s.web.FilterChainProxy: /login reached end of additional filter chain; proceeding with original chain
DEBUG [t] com.txxxxcorp.xxxxxxpoint.resources.LoginResource: presenting login
0:0:0:0:0:0:0:1 -  -  [02/Jun/2014:20:29:30 +0000] "GET /boot HTTP/1.1" 302 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" 29
DEBUG [t] o.s.s.web.access.ExceptionTranslationFilter: Chain processed normally
DEBUG [t] o.s.s.web.context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
0:0:0:0:0:0:0:1 -  -  [02/Jun/2014:20:29:30 +0000] "GET /login HTTP/1.1" 200 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" 52


is this testing whether the redirect after the form will work?

DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 2 of 8 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 3 of 8 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 4 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 5 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [t] o.s.s.web.authentication.AnonymousAuthenticationFilter: Populated SecurityContextHolder with anonymous token: 'o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [t] o.s.s.web.util.matcher.AntPathRequestMatcher: Checking match of request : '/boot'; against '/login'
DEBUG [t] o.s.s.web.util.matcher.AntPathRequestMatcher: Checking match of request : '/boot'; against '/boot'
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /boot; Attributes: [ROLE_AUTHORISED]
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Previously Authenticated: o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.RoleVoter@4e406694, returned: -1
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.AuthenticatedVoter@5ab9b447, returned: 0
DEBUG [t] o.s.s.web.access.ExceptionTranslationFilter: Access is denied (user is anonymous); redirecting to authentication entry point
! o.s.s.access.AccessDeniedException: Access is denied
<snip>

DEBUG [t] o.s.s.web.access.ExceptionTranslationFilter: Calling Authentication entry point.
DEBUG [t] o.s.s.web.DefaultRedirectStrategy: Redirecting to 'http://localhost:8090/login'
DEBUG [t] o.s.s.web.context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 2 of 8 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 3 of 8 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 4 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 5 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [t] o.s.s.web.authentication.AnonymousAuthenticationFilter: Populated SecurityContextHolder with anonymous token: 'o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [t] o.s.s.web.util.matcher.AntPathRequestMatcher: Checking match of request : '/login'; against '/login'
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /login; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Previously Authenticated: o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.RoleVoter@4e406694, returned: 0
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.AuthenticatedVoter@5ab9b447, returned: 1
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Authorization successful
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: RunAsManager did not change Authentication object
DEBUG [t] o.s.s.web.FilterChainProxy: /login reached end of additional filter chain; proceeding with original chain
DEBUG [t] com.txxxxcorp.txxxxpoint.resources.LoginResource: presenting login
DEBUG [t] o.s.s.web.access.ExceptionTranslationFilter: Chain processed normally
DEBUG [t] o.s.s.web.context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
0:0:0:0:0:0:0:1 -  -  [02/Jun/2014:20:29:31 +0000] "GET /boot HTTP/1.1" 302 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" 2
0:0:0:0:0:0:0:1 -  -  [02/Jun/2014:20:29:31 +0000] "GET /login HTTP/1.1" 200 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" 3

filled in form
entered authorised user and submit


DEBUG [t] o.s.s.web.FilterChainProxy: /j_spring_security_check at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /j_spring_security_check at position 2 of 8 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /j_spring_security_check at position 3 of 8 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /j_spring_security_check at position 4 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [t] o.s.s.web.authentication.UsernamePasswordAuthenticationFilter: Request is to process authentication
DEBUG [t] com.txxxxxcorp.txxxxpoint.security.TouchpointAuthenticationManager: 1. authenticating user u and password p
DEBUG [t] com.txxxxxcorp.txxxxpoint.security.TouchpointAuthenticationManager: 2. authenticating user u and password p
DEBUG [t] o.s.s.web.authentication.UsernamePasswordAuthenticationFilter: Authentication success. Updating SecurityContextHolder to contain: o.s.s.authentication.UsernamePasswordAuthenticationToken@9e2a217c: Principal: u; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_AUTHORISED
DEBUG [t] o.s.s.web.DefaultRedirectStrategy: Redirecting to '/boot'

woah, we just got the context going, why is this going blank?
DEBUG [t] o.s.s.web.context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed

DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 2 of 8 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 3 of 8 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 4 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 5 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [t] o.s.s.web.authentication.AnonymousAuthenticationFilter: Populated SecurityContextHolder with anonymous token: 'o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /boot at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [t] o.s.s.web.util.matcher.AntPathRequestMatcher: Checking match of request : '/boot'; against '/login'
DEBUG [t] o.s.s.web.util.matcher.AntPathRequestMatcher: Checking match of request : '/boot'; against '/boot'
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /boot; Attributes: [ROLE_AUTHORISED]
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Previously Authenticated: o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.RoleVoter@4e406694, returned: -1
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.AuthenticatedVoter@5ab9b447, returned: 0
DEBUG [t] o.s.s.web.access.ExceptionTranslationFilter: Access is denied (user is anonymous); redirecting to authentication entry point
! o.s.s.access.AccessDeniedException: Access is denied
<snip>

DEBUG [t] o.s.s.web.access.ExceptionTranslationFilter: Calling Authentication entry point.
DEBUG [t] o.s.s.web.DefaultRedirectStrategy: Redirecting to 'http://localhost:8090/login'
DEBUG [t] o.s.s.web.context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
0:0:0:0:0:0:0:1 -  -  [02/Jun/2014:20:29:39 +0000] "POST /j_spring_security_check HTTP/1.1" 302 - "http://localhost:8090/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" 9
0:0:0:0:0:0:0:1 -  -  [02/Jun/2014:20:29:39 +0000] "GET /boot HTTP/1.1" 302 - "http://localhost:8090/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" 1
0:0:0:0:0:0:0:1 -  -  [02/Jun/2014:20:29:39 +0000] "GET /login HTTP/1.1" 200 - "http://localhost:8090/login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" 5
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 2 of 8 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 3 of 8 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 4 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 5 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [t] o.s.s.web.authentication.AnonymousAuthenticationFilter: Populated SecurityContextHolder with anonymous token: 'o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [t] o.s.s.web.FilterChainProxy: /login at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [t] o.s.s.web.util.matcher.AntPathRequestMatcher: Checking match of request : '/login'; against '/login'
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /login; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Previously Authenticated: o.s.s.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: o.s.s.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.RoleVoter@4e406694, returned: 0
DEBUG [t] o.s.s.access.vote.AffirmativeBased: Voter: o.s.s.access.vote.AuthenticatedVoter@5ab9b447, returned: 1
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: Authorization successful
DEBUG [t] o.s.s.web.access.intercept.FilterSecurityInterceptor: RunAsManager did not change Authentication object
DEBUG [t] o.s.s.web.FilterChainProxy: /login reached end of additional filter chain; proceeding with original chain
DEBUG [t] com.txxxxcorp.txxxxpoint.resources.LoginResource: presenting login
DEBUG [t] o.s.s.web.access.ExceptionTranslationFilter: Chain processed normally
DEBUG [t] o.s.s.web.context.SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
Michael Coxon
  • 3,337
  • 8
  • 46
  • 68
  • Can you log what sessionid it is? – Grim Jun 02 '14 at 11:39
  • Are you sure the user has the correct GrantedAuthority? – Björn Jun 02 '14 at 13:33
  • I have updated the question. The thing that sticks out is that the SecurityContextHolder gets blanked by the framework before /boot is displayed, so although it authenticates correctly, I lose the authentication right before I need the boot page. – Michael Coxon Jun 02 '14 at 22:30
  • I have found the underlying issue: What I didn't say was that I am using the Dropwizard framework, which doesn't support Sessions (assumes everything is REST and stateless). See https://groups.google.com/forum/#!topic/dropwizard-user/4265xiwoEaU – Michael Coxon Jun 03 '14 at 01:56

2 Answers2

1

The source of redirection lies within create-session="stateless". Just remove it from you http configuration element and you are able to login successful. create-session="stateless" prohibits the use of a server side session, which however is required for a form based login.

A form login in a REST based service isn't commonly used. At least I didn't see such a service in my life yet. Normally, a client supplies credentials on each and every call or uses a token. Hence, you should switch from <form-login> to <http-basic /> or a more sophisticated protocol like OAuth(2).

ksokol
  • 8,035
  • 3
  • 43
  • 56
0

If it is created stateless, the server side session remains useless. Some how the session information has to be provided from client and custom code has to be implemented in server to identify it and authenticate.

I hope below references provide you more insight

create-session stateless usage http://www.baeldung.com/spring-security-session http://www.baeldung.com/2011/11/20/basic-and-digest-authentication-for-a-restful-service-with-spring-security-3-1/#basic

Community
  • 1
  • 1
Chakradhar K
  • 501
  • 13
  • 40