So I started out migrating the Spring components of my web application by updating Maven to pull the 4.x Spring releases.
I expected some changes with regards to Spring MVC, but I didn’t expect changes related to Spring Security.
The spring-security.xml started out as follows:
And the login.jsp had the standard fields and action:
<form name='loginForm' action="<c:url value='/j_spring_security_check' />" method='POST'>
<table>
<tr>
<td>User:</td>
<td><input type='text' name='j_username'></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='j_password' /></td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit" value="submit" /></td>
</tr>
</table>
</form>
The problem started when I had the application entirely running on Spring 4.x and I tried logging in without success.
Nothing made sense. I examined the logs which reported “Access is denied” and “anonymousUser”. This seemed odd because the http posts seemed fine.
I tried modifying the spring-security.xml many times without success. Then I tried to move the security configuration from xml to Java based. Essentially, I introduced a SecurityConfig class (with @EnableWebSecurity annotation) but that didn’t work either.
Finally, I went back to the xml based configuration and added j_spring_security_check/j_username/j_password. This solved the problem. It still doesn’t make sense to my why I had to do that.
Here’s what the spring-security.xml ended up looking like:
<sec:http use-expressions=”true” auto-config=”true”>
<sec:csrf disabled=”true”></sec:csrf>
<sec:intercept-url pattern=”/css/*” access=”permitAll”/>
<sec:intercept-url pattern=”/images/*” access=”permitAll”/>
<sec:intercept-url pattern=”/jsp/login.jsp” access=”permitAll”/>
<sec:intercept-url pattern=”/**” access=”isAuthenticated()” />
<sec:form-login login-page=”/jsp/login.jsp” login-processing-url=”/j_spring_security_check” username-parameter=”j_username” password-parameter=”j_password” default-target-url=”/index.html” authentication-failure-url=”/jsp/login.jsp?login_error=1″ always-use-default-target=”true”/>
<sec:logout logout-url=”/j_spring_security_logout” invalidate-session=”true” logout-success-url=”/jsp/login.jsp?loggedout=true” />
</sec:http>