Spring Security
  1. Spring Security
  2. SEC-1441

Additional GET /j_spring_security_check request issued after authentication causes remember me cookie to be removed

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Invalid
    • Affects Version/s: 3.0.1, 3.0.2, 3.0.3
    • Fix Version/s: 3.0.3
    • Component/s: None
    • Labels:
      None
    • Environment:
      Spring 3.0.3 Snapshot (also tried with other 3.0.x versions and seem to be getting the same results)
      Spring 3.0.1
      Google App Engine 1.3.1

      Description

      I've been trying to track down why Spring Security isn't creating the Spring Security remember me cookie in my application. However, based on what I see via the HTTP headers the cookie is being set it's just that there is an additional GET request for /j_spring_security_check that is causing the exception below. This also results in the cookie being removed. Note, in the attached log is also shows the initial post to /j_spring_security_check (and authentication) was successful. I'm unclear what is causing the additional GET /j_spring_security_check request. Any ideas what is going on?

      Here is the debug log information (also attached):

      Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter doFilter
      FINE: Request is to process authentication
      Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
      FINE: Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET
      Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
      FINE: Updated SecurityContextHolder to contain null Authentication
      Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
      FINE: Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@4196c169
      Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices loginFail
      FINE: Interactive login attempt was unsuccessful.
      Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices cancelCookie
      FINE: Cancelling cookie

      Here are the HTTP headers for the sequence of events:

      http://localhost:8080/j_spring_security_check

      POST /j_spring_security_check HTTP/1.1
      Host: localhost:8080
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en-us,en;q=0.5
      Accept-Encoding: gzip,deflate
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive: 115
      Connection: keep-alive
      Referer: http://localhost:8080/app/login
      Cookie: JSESSIONID=15t2gq1vo5noj
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 88
      j_username=test%40test.com&j_password=test&_spring _security_remember_me=on&submit=Submit
      HTTP/1.1 302 Found
      Expires: Thu, 01 Jan 1970 00:00:00 GMT
      Set-Cookie: JSESSIONID=1dymxpkh13z32;Path=/
      Set-Cookie: SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q;Path=/;Expires=Wed, 31-Mar-10 10:52:07 GMT
      Location: http://localhost:8080/app/helloWorld
      Content-Length: 0
      Server: Jetty(6.1.x)
      ----------------------------------------------------------
      http://localhost:8080/app/helloWorld

      GET /app/helloWorld HTTP/1.1
      Host: localhost:8080
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en-us,en;q=0.5
      Accept-Encoding: gzip,deflate
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive: 115
      Connection: keep-alive
      Referer: http://localhost:8080/app/login
      Cookie: JSESSIONID=1dymxpkh13z32; SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q

      HTTP/1.1 200 OK
      Content-Language: en-US
      Content-Type: text/html
      Content-Length: 526
      Server: Jetty(6.1.x)
      ----------------------------------------------------------
      http://localhost:8080/j_spring_security_check

      GET /j_spring_security_check HTTP/1.1
      Host: localhost:8080
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en-us,en;q=0.5
      Accept-Encoding: gzip,deflate
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive: 115
      Connection: keep-alive
      Cookie: JSESSIONID=1dymxpkh13z32; SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q

      HTTP/1.1 302 Found
      Expires: Thu, 01 Jan 1970 00:00:00 GMT
      Set-Cookie: SPRING_SECURITY_REMEMBER_ME_COOKIE=;Path=/;Expires=Thu, 01 Jan 1970 00:00:00 GMT
      Location: http://localhost:8080/app/login?login_error=1
      Content-Length: 0
      Server: Jetty(6.1.x)
      ----------------------------------------------------------
      http://localhost:8080/app/login?login_error=1

      GET /app/login?login_error=1 HTTP/1.1
      Host: localhost:8080
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en-us,en;q=0.5
      Accept-Encoding: gzip,deflate
      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive: 115
      Connection: keep-alive
      Cookie: JSESSIONID=1dymxpkh13z32

      HTTP/1.1 200 OK
      Content-Language: en-US
      Content-Type: text/html
      Content-Length: 928
      Server: Jetty(6.1.x)
      ----------------------------------------------------------

      1. log.txt
        18 kB
        Taylor Leese

        Activity

        Hide
        Luke Taylor added a comment -

        If your browser is issuing a GET request, then either you are sending it for some reason (because you aren't using a POST in your login form) or there is a redirect to that URL being sent by mistake. The latter case would be a bug, but there is no evidence for that in the responses you have shown here. You are best placed to debug the requests your browser sends and the dialogue which causes them. Please debug the setup and work out whether the request is sent. You haven't indicated whether it is the result of user action or not, but that should be easy to establish.

        Either that or post a complete sample which reproduces the problem.

        Show
        Luke Taylor added a comment - If your browser is issuing a GET request, then either you are sending it for some reason (because you aren't using a POST in your login form) or there is a redirect to that URL being sent by mistake. The latter case would be a bug, but there is no evidence for that in the responses you have shown here. You are best placed to debug the requests your browser sends and the dialogue which causes them. Please debug the setup and work out whether the request is sent. You haven't indicated whether it is the result of user action or not, but that should be easy to establish. Either that or post a complete sample which reproduces the problem.
        Hide
        Taylor Leese added a comment -

        My login form looks like this. There's no where in my app where I issue the GET request for j_spring_security_check.

        <form action="/j_spring_security_check" method="post">
        <table>
        <tr><td>Username:</td><td><input type='text' name='j_username' value='<c:if test="$

        {not empty param.login_error}

        "><c:out value="$

        {SPRING_SECURITY_LAST_USERNAME}

        " /></c:if>'/></td></tr>
        <tr><td>Password:</td><td><input type='password' name='j_password' /></td></tr>
        <tr><td>Keep me logged in:</td><td><input type='checkbox' name='_spring_security_remember_me' /></td></tr>
        <tr><td><input name="submit" type="submit" value="Submit" /></td><td><input name="reset" type="reset" value="Reset" /></td></tr>
        </table>
        </form>

        Show
        Taylor Leese added a comment - My login form looks like this. There's no where in my app where I issue the GET request for j_spring_security_check. <form action="/j_spring_security_check" method="post"> <table> <tr><td>Username:</td><td><input type='text' name='j_username' value='<c:if test="$ {not empty param.login_error} "><c:out value="$ {SPRING_SECURITY_LAST_USERNAME} " /></c:if>'/></td></tr> <tr><td>Password:</td><td><input type='password' name='j_password' /></td></tr> <tr><td>Keep me logged in:</td><td><input type='checkbox' name='_spring_security_remember_me' /></td></tr> <tr><td><input name="submit" type="submit" value="Submit" /></td><td><input name="reset" type="reset" value="Reset" /></td></tr> </table> </form>
        Hide
        Taylor Leese added a comment -

        I can send you the .war file causing the problem, but I'd prefer to not post it in the JIRA issue. Is there an address I can e-mail it to?

        Show
        Taylor Leese added a comment - I can send you the .war file causing the problem, but I'd prefer to not post it in the JIRA issue. Is there an address I can e-mail it to?
        Hide
        Taylor Leese added a comment -

        The sequence of requests I posted the HTTP headers for happen after clicking submit on the login form (1 user action). You can see the initial post in the headers.

        Show
        Taylor Leese added a comment - The sequence of requests I posted the HTTP headers for happen after clicking submit on the login form (1 user action). You can see the initial post in the headers.
        Hide
        Luke Taylor added a comment -

        So you get a 200 for your GET /app/helloWorld HTTP/1.1 and the additional response is immediately after that? That would imply that the request comes from that page. Please debug that request. It also doesn't appear to match the log.

        Show
        Luke Taylor added a comment - So you get a 200 for your GET /app/helloWorld HTTP/1.1 and the additional response is immediately after that? That would imply that the request comes from that page. Please debug that request. It also doesn't appear to match the log.
        Hide
        Taylor Leese added a comment -

        The log shows a slightly different scenario where the user is redirected back to "/" rather than "/app/helloWorld" after a successful login and it demonstrates the same problem. There is no GET request for j_spring_security_check on either of these pages. The only time j_spring_security_check is referenced in my application is in the form post. What else could be causing the additional GET request?

        Show
        Taylor Leese added a comment - The log shows a slightly different scenario where the user is redirected back to "/" rather than "/app/helloWorld" after a successful login and it demonstrates the same problem. There is no GET request for j_spring_security_check on either of these pages. The only time j_spring_security_check is referenced in my application is in the form post. What else could be causing the additional GET request?
        Hide
        Taylor Leese added a comment -

        I think I just figured this out. I tried to reproduce the same issue in IE and I wasn't able to so I did some more investigation and it appears that when Firebug is open in Firefox the additional GET request appears in the headers. If I don't have Firebug open when I login then there is no additional GET request and the remember cookie still exists. I'd have to say this is an issue with Firebug at this point. I'm using Firefox 3.6 and Firebug 1.5.3. Have you ever heard of Firebug causing problems with the remember me cookie?

        Show
        Taylor Leese added a comment - I think I just figured this out. I tried to reproduce the same issue in IE and I wasn't able to so I did some more investigation and it appears that when Firebug is open in Firefox the additional GET request appears in the headers. If I don't have Firebug open when I login then there is no additional GET request and the remember cookie still exists. I'd have to say this is an issue with Firebug at this point. I'm using Firefox 3.6 and Firebug 1.5.3. Have you ever heard of Firebug causing problems with the remember me cookie?
        Hide
        Luke Taylor added a comment -

        No, I'm not aware of anything firebug related.

        Closing, as it's highly unlikely this is a Spring Security issue.

        Show
        Luke Taylor added a comment - No, I'm not aware of anything firebug related. Closing, as it's highly unlikely this is a Spring Security issue.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Taylor Leese
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: