In Spring security we have an option so that we can define our own custom login page instead of one provided by Spring application context framework, this login page is used for determining the ROLE and authentication of certain user using the web application.
However I got into a problem using that when I tried the below security XML configuration :-
When I looked into it I could get the real reason of the problem. Actually since the pattern for intercept-url security tag was "/**". It simply meant that any request which start with "/" should be intercepted and authenticated for ROLE_USER. For this authentication purpose Application Context searches for "/login" page but "/login" also start with "/" and hence it is again intercepted and should be authenticated for ROLE_USER for which it would again go for "/login". So it actually is a perfect example of Catch-22 situation. the request was kept redirecting to itself.
Now since we have understood the problem the solution should not be difficult. personally I think giving a pattern as "/**" has dangerous conundrum so instead one should use something like "/home/**" (or any other pattern which should not cover "/login") for intercept-url so that "/login" should not be authenticated. doing this solved my problem.
However I got into a problem using that when I tried the below security XML configuration :-
<http>
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login login-page="/login"
login-processing-url="/static/j_spring_security_check"
authentication-failure-url="/login?error=t"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="rahul" password="rahul123" authorities="ROLE_ADMIN,ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
When I looked into it I could get the real reason of the problem. Actually since the pattern for intercept-url security tag was "/**". It simply meant that any request which start with "/" should be intercepted and authenticated for ROLE_USER. For this authentication purpose Application Context searches for "/login" page but "/login" also start with "/" and hence it is again intercepted and should be authenticated for ROLE_USER for which it would again go for "/login". So it actually is a perfect example of Catch-22 situation. the request was kept redirecting to itself.
Now since we have understood the problem the solution should not be difficult. personally I think giving a pattern as "/**" has dangerous conundrum so instead one should use something like "/home/**" (or any other pattern which should not cover "/login") for intercept-url so that "/login" should not be authenticated. doing this solved my problem.
<intercept-url pattern="/home/**" access="ROLE_USER"/>
Thanks :)
ReplyDeleteIt saved my day.Thanks :)
ReplyDelete