Spring 3 Security j_spring_security_check

Question

I'm trying to learn, how spring security works, so I've downloaded some sample project and then I tried to implement that solution to my project. But when I try to login, I get 404 error and in an address bar I have http://localhost:8080/fit/j_spring_security_check. I tried to look at similar questions here, but I wasn't able to realize, how to apply it to my project. I'd be really thankful, if somebody, who is more experienced, could help me.

My app structure looks like this:

enter image description here

applicationContext.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:context="http://www.springframework.org/schema/context"
   xmlns:security="http://www.springframework.org/schema/security"
   xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<context:annotation-config/>

<context:component-scan base-package="cz.cvut.fit"/>

<import resource="classpath:applicationContext-security.xml"/>

</beans>

applicationContext-web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:mvc="http://www.springframework.org/schema/mvc"
   xmlns:context="http://www.springframework.org/schema/context"
   xmlns:security="http://www.springframework.org/schema/security"
   xsi:schemaLocation="
    http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<context:annotation-config/>

<context:component-scan base-package="cz.cvut.fit" />

<mvc:annotation-driven />

<security:global-method-security jsr250-annotations="enabled"
                                 proxy-target-class="true"/>
</beans>

applicationContext-security.xml:

<beans xmlns:security="http://www.springframework.org/schema/security"
   xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
             http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
             http://www.springframework.org/schema/security
             http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<security:http pattern="/css/**" security="none"/>
<security:http pattern="/views/login.jsp*" security="none"/>
<security:http pattern="/views/denied.jsp" security="none"/>

<security:http auto-config="true" access-denied-page="/denied.jsp" servlet-api-provision="false">
    <security:intercept-url pattern="/views/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/views/edit/**" access="ROLE_EDIT"/>
    <security:intercept-url pattern="/views/admin/**" access="ROLE_ADMIN"/>
    <security:intercept-url pattern="/**" access="ROLE_USER"/>
    <security:form-login login-page="/views/login.jsp" authentication-failure-url="/denied.jsp"
                         default-target-url="/home.jsp"/>
    <security:logout/>
</security:http>

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="adam" password="adampassword" authorities="ROLE_USER"/>
            <security:user name="jane" password="janepassword" authorities="ROLE_USER, ROLE_ADMIN"/>
            <security:user name="sue" password="suepassword" authorities="ROLE_USER, ROLE_EDIT"/>
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

</beans>

`j_spring_security_check` is a Servlet where the actual authentication is made and you must map the action of your login form to this Servlet. Are you doing this on your login page - `
...
`? — Lion, Mar 12 '13 at 15:41
Please show your web.xml. /j_spring_security_check URL must be processed by springSecurityFilterChain filter. — Maksym Demidas, Mar 12 '13 at 15:44
Yes, I am... But I've got no clue, what to do next, to make it work well. :-/ — Martin Dvoracek, Mar 12 '13 at 15:44
I assume, that this part of web.xml will be enough: ` springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /* ` — Martin Dvoracek, Mar 12 '13 at 15:45
Are you sure that `/home.jsp` isn't doing 404? Shouldn't it be `/views/home.jsp`? If it's not a case, add [``](http://static.springsource.org/spring-security/site/docs/3.1.x/reference/appendix-namespace.html#nsa-debug) to your config, try again and post output here. — Grzegorz Rożniecki, Mar 13 '13 at 08:28
I've solved it already...particulary....If I put JSP pages to `/` instead of `/WEB-INF/views`, then it works...however I want to use MVC as well, so I need to find out, how to do that :-/ — Martin Dvoracek, Mar 13 '13 at 11:00

score 11 · Accepted Answer · answered Oct 21 '13 at 10:33

You are trying to validate to a uri based on the current context path of the web page. the JSTL tag lib can be used to ensure you easily generate the correct urls based on the context of the application. You can do this by using a tag library if you want to get it implemented quickly. To do this you can add the jstl tag library to the top of the jsp:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

Then you can use the following to post to the login servlet.

<form action="<c:url value="/j_spring_security_check"></c:url>" method="post" role="form">

This ensures you alway post to <your_application_context>/j_spring_security_check.

reference for jstl: http://docs.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/c/url.html

score 0 · Answer 2 · answered May 22 '18 at 10:18

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
        org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Add your web.xml File .Its Create Bean of Your springSecurityFilterChain .Then you Got Response

score 0 · Answer 3 · answered Jun 24 '20 at 09:56

The path /j_spring_security_check has changed to /login in spring 4 and it is handled in UsernamePasswordAuthenticationFilter

You can find it's source here: https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/UsernamePasswordAuthenticationFilter.java

Spring 3 Security j_spring_security_check

3 Answers3

Linked