Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 2.0.6
    • Fix Version/s: 3.1.0.M2
    • Component/s: Core
    • Labels:
      None
    • Environment:
      Spring 2.5.5, Windows 7, Java 1.5_11, Spring Security 2.0.6

      Description

      I wanted to upgrade to Spring Security 2.0.6 from Spring Security 2.0.5. That is upgrade one minor version up. I use struts 1.3.10. When I replaced the 4 jar files with the ones from 2.0.6, I started getting strange error messages from Struts saying that no action path could be found.

      The following are the 4 jars that I replace with the 2.0.6 versions.
      spring-security-acl-2.0.5.RELEASE.jar
      spring-security-core-2.0.5.RELEASE.jar
      spring-security-core-tiger-2.0.5.RELEASE.jar
      spring-security-taglibs-2.0.5.RELEASE.jar

      After trying various things unsuccessfully, I decided to create a bare bones functional project and try my upgrade there.

      What I discovered is that 2.0.6 appears to have problems dealing with jsp forward. In 2.0.5 things work fine but 2.0.6 things go into a loop while running inside of Eclipse/Tomcat 5.5.

      I create a fresh Eclipse Dynamic Web project. I add an index.jsp which has one line to perform a jsp:forward to another .jsp page. I tested with no Spring and it works as expected. I then introduce Spring Security 2.0.5 and Spring 2.5.5 into the mix and things still work as expected. (Index.jsp has intercept-url has filters=none).

      I then replace the above mentioned 4 files with the 2.0.6 versions. Then when I try to navigate to the index.jsp via browser (Fire Fox 3.6.12), the tomcat server goes into a loop spewing out a very large stack trace.

      I'm attaching the eclipse project as well as the tomcat log file.

      The main reason I wanted to upgrade to 2.0.6 is because for some reason, I am not able to get "access-denied-page" attribute to work on the http element.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          This is a duplicate of the issue reported as SEC-1606. You can follow the workaround which is described in that issue.

          Show
          Luke Taylor added a comment - This is a duplicate of the issue reported as SEC-1606 . You can follow the workaround which is described in that issue.
          Hide
          Pronab Saha added a comment -

          I've consulted SEC 1606, SEC 1614, and SEC 1608 and tried the following three approaches. One works and the other two did not work for me.

          a) modify the index.jsp from having filters="none" to access="ROLE_ANONYMOUS, ROLE_USER". This works. The jsp:forward no longer goes into a loop.

          b) Keep filters="none" for index.jsp. Use the http-firewall element and the firewall class as commented by Rob Winch on 8/Nov/10 2:50 PM on SEC 1606. This does not appear to work for me. I get similar behaviour as before.

          c) I tried to get approach number #2 from SEC 1608 to work. However, I am don't think I am setting it up correctly. I created a filter and tried to configure it in the application contect file as below. It also went in a loop when using filters="none" for the /index.jsp

          <bean id="workaroundFilter" class="com.paylynxs.filter.WorkaroundFilter">
          <security:custom-filter position="LAST"/>
          </bean>

          The relevant portion of the WorkaroundFilter looks like below

          public class WorkaroundFilter implements Filter {

          public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
          while (request instanceof ServletRequestWrapper) {
          if (request instanceof FirewalledRequest)

          { ((FirewalledRequest) request).reset(); break; }

          request = ((ServletRequestWrapper) request).getRequest();
          }
          }

          }

          Show
          Pronab Saha added a comment - I've consulted SEC 1606, SEC 1614, and SEC 1608 and tried the following three approaches. One works and the other two did not work for me. a) modify the index.jsp from having filters="none" to access="ROLE_ANONYMOUS, ROLE_USER". This works. The jsp:forward no longer goes into a loop. b) Keep filters="none" for index.jsp. Use the http-firewall element and the firewall class as commented by Rob Winch on 8/Nov/10 2:50 PM on SEC 1606. This does not appear to work for me. I get similar behaviour as before. c) I tried to get approach number #2 from SEC 1608 to work. However, I am don't think I am setting it up correctly. I created a filter and tried to configure it in the application contect file as below. It also went in a loop when using filters="none" for the /index.jsp <bean id="workaroundFilter" class="com.paylynxs.filter.WorkaroundFilter"> <security:custom-filter position="LAST"/> </bean> The relevant portion of the WorkaroundFilter looks like below public class WorkaroundFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { while (request instanceof ServletRequestWrapper) { if (request instanceof FirewalledRequest) { ((FirewalledRequest) request).reset(); break; } request = ((ServletRequestWrapper) request).getRequest(); } } }
          Hide
          Luke Taylor added a comment -

          You have to add the filter in web.xml. Adding it to the security filters has no effect since you are bypassing them by using filters="none".

          Show
          Luke Taylor added a comment - You have to add the filter in web.xml. Adding it to the security filters has no effect since you are bypassing them by using filters="none".

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Pronab Saha
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: