Infinite loop using Spring Security - Login page is protected even though it should allow anonymous

Posted by Tai Squared on Stack Overflow See other posts from Stack Overflow or by Tai Squared
Published on 2010-01-06T01:46:43Z Indexed on 2010/03/29 12:03 UTC
Read the original article Hit count: 561

I have a Spring application (Spring version 2.5.6.SEC01, Spring Security version 2.0.5) with the following setup:

web.xml

<welcome-file-list>
  <welcome-file>
    index.jsp
  </welcome-file>
</welcome-file-list>

The index.jsp page is in the WebContent directory and simply contains a redirect:

<c:redirect url="/login.htm"/>

In the appname-servlet.xml, there is a view resolver to point to the jsp pages in WEB-INF/jsp

<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
  <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
  <property name="prefix" value="/WEB-INF/jsp/" />
  <property name="suffix" value=".jsp" />
</bean>

In the security-config.xml file, I have the following configuration:

<http>
  <!-- Restrict URLs based on role -->
  <intercept-url pattern="/WEB-INF/jsp/login.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/header.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/footer.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" />

  <intercept-url pattern="/css/**" filters="none" />
  <intercept-url pattern="/images/**" filters="none" />
  <intercept-url pattern="/**" access="ROLE_ANONYMOUS" />

  <form-login login-page="/login.jsp"/>
</http>

<authentication-provider>
    <jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>

However, I can't even navigate to the login page and get the following error in the log:

WARNING: The login page is being protected by the filter chain, but you don't appear to have anonymous authentication enabled. This is almost certainly an error.

I've tried changing the ROLE_ANONYMOUS to IS_AUTHENTICATED_ANONYMOUSLY, changing the login-page to index.jsp, login.htm, and adding different intercept-url values, but I can't get it so the login page is accesible and security applies to the other pages. What do I have to change to avoid this loop?

© Stack Overflow or respective owner

Related posts about spring

Related posts about spring-security