Java configuration of Spring security does not recognize /j_spring_security

Vivin Paliath

2014-08-03T08:19:35

I have a webapp where I've used Java config for Spring security. The problem is that if I do not explicitly specify /j_spring_security_check as the login processing URL, it will fail. I end up getting the following in the logs:

DEBUG: [Aug-02 17:16:10,907] security.web.FilterChainProxy - /j_spring_security_check at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG: [Aug-02 17:16:10,907] security.web.FilterChainProxy - /j_spring_security_check at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG: [Aug-02 17:16:10,907] security.web.FilterChainProxy - /j_spring_security_check at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/login.html'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/auth-failure.html'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/favicon.ico'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/css/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/js/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/img/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/reader/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/script/read/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/mobile/**'
DEBUG: [Aug-02 17:16:10,907] util.matcher.AntPathRequestMatcher - Request '/j_spring_security_check' matched by universal pattern '/**'
DEBUG: [Aug-02 17:16:10,907] access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /j_spring_security_check; Attributes: [hasRole('ROLE_USER')]
DEBUG: [Aug-02 17:16:10,907] access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa8dbd0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 127.0.0.1; SessionId: 715AFC0DB28725B1A882DF649173A566; Granted Authorities: ROLE_ANONYMOUS
DEBUG: [Aug-02 17:16:10,907] access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@329b7920, returned: -1
DEBUG: [Aug-02 17:16:10,907] web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied

As you can see, it can't match /j_spring_security_check at all and so it says that access is denied and redirects back to the login page. However, if I explicitly add /j_spring_security_check like so:

http.formLogin()
        .loginProcessingUrl("/j_spring_security_check")
        ...
        ...

It works. This doesn't seem right to me since I never had to do this in the XML-based config. Furthermore, I don't see this in any of the examples either. What am I doing wrong?

My security-configuration class is as follows:

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    public void configure(AuthenticationManagerBuilder builder) throws Exception {
        builder.userDetailsService(new CustomUserDetailsService()).passwordEncoder(new PlaintextPasswordEncoder()); //plaintext is on purpose; this is a toy app
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable() // toy app so I'm just trying to get this to work
            .authorizeRequests()
                .antMatchers(
                        "/login.html",
                        "/auth-failure.html",
                        "/favicon.ico",
                        "/css/**",
                        "/js/**",
                        "/img/**",
                        "/reader/**",
                        "/script/read/**",
                        "/mobile/**").permitAll()
                .antMatchers("/**").hasRole("USER")
                .anyRequest().authenticated();

        http.formLogin()
                .loginProcessingUrl("/j_spring_security_check")
                .loginPage("/login.html")
                .defaultSuccessUrl("/editor/")
                .failureUrl("/auth-failure.html");
    }
}

Copyright License：
Author:「Vivin Paliath」,Reproduced under the CC 4.0 BY-SA copyright license with link to original source & disclaimer.
Link to：https://stackoverflow.com/questions/25100500/java-configuration-of-spring-security-does-not-recognize-j-spring-security-chec

About “Java configuration of Spring security does not recognize /j_spring_security_check” questions

Java configuration of Spring security does not recognize /j_spring_security_check

I have a webapp where I've used Java config for Spring security. The problem is that if I do not explicitly specify /j_spring_security_check as the login processing URL, it will fail. I end up gett...

Spring security: j_spring_security_check page not found

I'm trying to use Spring Security but when I use form login (with or without correct username/password), I get a 404 error to: http://localhost/HomeAutomation/j_spring_security_check. Here my file...

Spring Security - Dispatch to /j_spring_security_check

I have spring security in place and login via login.jsp works perfectly fine. Now, I have to automatically get the user logged in based on the URL (similar to Single Sign On). I basically have a p...

Java config /j_spring_security_check not found

I'm a noob to Spring framework. Trying to configure security options for the app. I have following as my (xml-less) security config: @Configuration @EnableWebSecurity public class SecurityConfig

Spring Security /j_spring_security_check without JSP

I need clean URL rather than the extension appended. I'm using the Backbone.js framework in my UI. I have a view built that gathers a username and password and performs a restful request to /

Spring Security Login Redirects to /j_spring_security_check Without Authenticating

I am currently trying to get a simple Spring security login to work. I am using mongodb and can get users to be saved to the database (can query them from mongo shell). However, when I enter the

FilterChainProxy: /j_spring_security_check has no matching filters

I am trying to use Spring security default login mechanism and this is what I have configured in security.xml file <http pattern="/customer/**" auto-config="true" use-expressions="true"

Spring Security : Custom Login without backing bean, using only spring security configurations as j_spring_security_check

I'd like to use spring security with JSF2 & richfaces. If I use the login page generated by spring it works fine. <security:http auto-config="true" use-expressions="true"> &l

Spring Security - j_spring_security_check - HTTP status 403

Im the new at Spring Security. If I press log in, the site: http://localhost:8080/j_spring_security_check occurs with HTTP Status 403 – Forbidden Type Status Report Message Forbidden Descripti...

Spring Security 3 RestTemplate POST to j_spring_security_check

I am using Spring Security 3 with REST endpoints. I managed to get a basic Spring Security working. Part of the security-context.xml <security:http auto-config="true" use-expressions="true" a...