Infinite loop using Spring Security - Login page is protected even though it should allow anonymous
Posted
by Tai Squared
on Stack Overflow
See other posts from Stack Overflow
or by Tai Squared
Published on 2010-01-06T01:46:43Z
Indexed on
2010/03/29
12:03 UTC
Read the original article
Hit count: 561
I have a Spring application (Spring version 2.5.6.SEC01, Spring Security version 2.0.5) with the following setup:
web.xml
<welcome-file-list>
<welcome-file>
index.jsp
</welcome-file>
</welcome-file-list>
The index.jsp page is in the WebContent directory and simply contains a redirect:
<c:redirect url="/login.htm"/>
In the appname-servlet.xml, there is a view resolver to point to the jsp pages in WEB-INF/jsp
<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
In the security-config.xml file, I have the following configuration:
<http>
<!-- Restrict URLs based on role -->
<intercept-url pattern="/WEB-INF/jsp/login.jsp*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/WEB-INF/jsp/header.jsp*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/WEB-INF/jsp/footer.jsp*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/**" access="ROLE_ANONYMOUS" />
<form-login login-page="/login.jsp"/>
</http>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>
However, I can't even navigate to the login page and get the following error in the log:
WARNING: The login page is being protected by the filter chain, but you don't appear to have anonymous authentication enabled. This is almost certainly an error.
I've tried changing the ROLE_ANONYMOUS to IS_AUTHENTICATED_ANONYMOUSLY, changing the login-page to index.jsp, login.htm, and adding different intercept-url values, but I can't get it so the login page is accesible and security applies to the other pages. What do I have to change to avoid this loop?
© Stack Overflow or respective owner