Spring Security
  1. Spring Security
  2. SEC-1901

Forwarding to /j_spring_security_check results in 404

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.1
    • Component/s: Namespace
    • Labels:
      None

      Description

      In a JSF environment, RequestDispatcher is used to forward request to /j_spring_security_check to do user login. In Spring Security 3.1.0, doing so results in 404 error. The same code works fine with 3.0.7.

      Currently I use a custom filter to invoke UsernamePasswordAuthenticationFilter directly to work around the problem. As such, I suspect FilterChainProxy is not run when the request is forwarded.

        Activity

        Hide
        Luke Taylor added a comment -

        Are you applying the security filter chain to forwarded requests in your web.xml configuration?

        Show
        Luke Taylor added a comment - Are you applying the security filter chain to forwarded requests in your web.xml configuration?
        Hide
        Brad Chen added a comment -

        Yes, FORWARD is one of the dispatchers for the filter. The code works in 3.0.7 but not in 3.1.0.

        Show
        Brad Chen added a comment - Yes, FORWARD is one of the dispatchers for the filter. The code works in 3.0.7 but not in 3.1.0.
        Hide
        Luke Taylor added a comment -

        Sorry, but it's pretty hard to know what's going on without more details. Could you provide a sample app which reproduces the issue? Or some the debug log from the point where the request is forwarded. It may also depend on the container you're running in.

        Show
        Luke Taylor added a comment - Sorry, but it's pretty hard to know what's going on without more details. Could you provide a sample app which reproduces the issue? Or some the debug log from the point where the request is forwarded. It may also depend on the container you're running in.
        Hide
        Brad Chen added a comment -

        sample app

        Show
        Brad Chen added a comment - sample app
        Hide
        Brad Chen added a comment -

        The sample app has been attached. It seems that the problem occurs when <debug /> is enabled in security.xml. When it's removed, the app works fine.

        The user of the sample app is admin/admin.

        Show
        Brad Chen added a comment - The sample app has been attached. It seems that the problem occurs when <debug /> is enabled in security.xml. When it's removed, the app works fine. The user of the sample app is admin/admin.
        Hide
        Rob Winch added a comment -

        Thanks for the good example project. The issue was that DebugFilter extended OncePerRequestFilter which will only be invoked once per request (i.e. it skips being invoked on the FORWARD). I have made updates in master to correct the issue.

        Show
        Rob Winch added a comment - Thanks for the good example project. The issue was that DebugFilter extended OncePerRequestFilter which will only be invoked once per request (i.e. it skips being invoked on the FORWARD). I have made updates in master to correct the issue.
        Hide
        Rob Winch added a comment -

        Changed to namespace since the DebugFilter is in config jar not the web jar

        Show
        Rob Winch added a comment - Changed to namespace since the DebugFilter is in config jar not the web jar

          People

          • Assignee:
            Rob Winch
            Reporter:
            Brad Chen
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: