Secure Login with Spring Security 2.0

August 18th, 2008 | by richfreedman |

If you are reading this, then I’m sure that you know that with the latest release, Spring‘s Acegi Security has been renamed  Spring Security.

Much has changed. Setting up Spring Security for most applications now involves a drastically reduced amount of configuration xml, mostly thanks to the <http auto-config=’true’> tag, which automatically sets up the most commonly used options.

Most of the examples that I was able to find on the web for custom form-login, even for Acegi, showed the login form posting the login credentials in the clear, via http. Not very secure….

The solution seemed pretty simple – add channel security for the login page, like so:

<intercept-url
pattern=”/login**”
access=”IS_AUTHENTICATED_ANONYMOUSLY”
requires-channel=”https”
/>

This did indeed make the login page switch to https. Unfortunately, it also made my login fail with a “Bad Credentials” message.

Many hours later, after trying all sorts of combinations, and combing the web for a clue, I determined that, not surprisingly, Spring Security was not broken, it was something that I had misconfigured.

Turns out that I had added a catch-all intercept-url, requiring http for anything not matching a url pattern that I had explicitly configured for https. The gotcha was that the login form posts to /j_spring_security_check – which was getting switched to http by the catch-all. Doh!

So, the solution was to explicitly configure /j_spring_security_check for https.

My resulting configuration is:

<http auto-config=’true’>
<form-login
login-page=”/login.jsp”
authentication-failure-url=”/login.jsp?login_error=1″
default-target-url=”/admin/user.htm”
/>

<port-mappings>
<port-mapping http=”8080″ https=”8443″/>
</port-mappings>

<intercept-url
pattern=”/login**”
access=”IS_AUTHENTICATED_ANONYMOUSLY”
requires-channel=”https”
/>

<intercept-url
pattern=”/j_spring_security_check”
access=”IS_AUTHENTICATED_ANONYMOUSLY”
requires-channel=”https”
/>

<intercept-url
pattern=”/admin/index.htm”
access=”ROLE_USER”
requires-channel=”https”
/>

<intercept-url
pattern=”/admin/user.htm”
access=”ROLE_USER”
requires-channel=”https”
/>

<intercept-url
pattern=”/admin/**”
access=”ROLE_ADMIN”
requires-channel=”https”
/>

<intercept-url
pattern=”/**”
access=”IS_AUTHENTICATED_ANONYMOUSLY”
requires-channel=”http”
/>

</http>

And now everything works properly. Doh! Indeed.

If you’ve read this far, I hope that this saves you a few hours.

  1. 7 Responses to “Secure Login with Spring Security 2.0”

  2. By nikhil on Nov 20, 2008 | Reply

    thank you!

  3. By emanuele on Jan 6, 2009 | Reply

    thank you, I didn’t think at all what could be the cause of login not working!
    Anyway, I guess you’re not using Tomcat as application server, since I found that switching from HTTPS (login page) to HTTP loses the session in Tomcat, unless you make some very tricky workarounds. So I didn’t solve my problem anyway; I’ll probably have to stick with HTTPS for all the web-application.
    Anyway, thank you for the hint!

  4. By richfreedman on Jan 6, 2009 | Reply

    emanuele,

    Indeed, I have the same problem (on tomcat) – switching to http after login loses the session – I just keep the user in https unless they explicitly log out.

    It seems that this behavior was added to later versions of tomcat as a security feature.

    I haven’t tried it, but if you need to be able to switch between https and http without losing the session, take a look at http://forums.sun.com/thread.jspa?threadID=197150&messageID=2255222 – look at the example on the second page.

  5. By emanuele on Jan 10, 2009 | Reply

    thank you richfreedman! It looks promising… I’ll take a look at that.

  6. By Sakr on Feb 5, 2010 | Reply

    Hi everyone,
    I am also facing the same problem by switching from my https login page to the http session. Did anyone find a solution for this issue?

  7. By Ateet on Mar 31, 2010 | Reply

    Hi,

    I am facing the problem while switching from htts to http in spring security application.

    Here is my applicationContext-security.xml

    and while accessing login.jsp, it says This program cannot display the webpage

    Please help asap.

    Thanks in advance
    Ateet

  8. By richfreedman on Mar 31, 2010 | Reply

    Ateet,

    Sorry, the contents of your security context file didn’t make it through the comment editor.
    I’m afraid that I can’t spend the time to debug everyone’s spring security setup who asks (I get a lot of queries here), unless you wish to contract with the consulting company that I work for ( http://chariotsolutions.com ).

    I suggest that you try the examples that I’ve posted here, as well as the link in the earlier comments about the issue of switching between https and http.

Post a Comment