1

I am developing a Spring MVC / Spring Security application.

I do not have any exceptions or errors, but there is a redirect loop on one of the pages.

I'm using Spring 3.0.1 and Spring Security 3.0.1.

My dispatcher-security.xml:

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:security="http://www.springframework.org/schema/security"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
   http://www.springframework.org/schema/security
   http://www.springframework.org/schema/security/spring-security-3.0.xsd">

   <security:http auto-config="true" use-expressions="true"> 
      <security:form-login login-page="/login" default-target-url="/login" authentication-failure-url="/fail2login"/> 
      <security:logout logout-success-url="/"/> 
      <security:intercept-url pattern="/auth/**" access="hasRole('ANONYMOUS')" /> 
      <security:intercept-url pattern="/js/**" access="hasRole('ANONYMOUS')" /> 
      <security:intercept-url pattern="/css/**" access="hasRole('ANONYMOUS')" /> 
      <security:intercept-url pattern="/**" access="hasRole('ADMIN')" /> 
   </security:http>

   <security:authentication-manager>  
      <security:authentication-provider>  
         <security:jdbc-user-service data-source-ref="dataSource1"
           users-by-username-query=" select name,password,enabled from user where name=?"      
           authorities-by-username-query="select u.name, r.role from user u, role r where u.role = r.auto_id and u.name =?  "
         />
      </security:authentication-provider>  
   </security:authentication-manager>

</beans>

Please help me......

Alexey
  • 2,542
  • 4
  • 31
  • 53
Shiva Kumar
  • 242
  • 1
  • 4
  • 9

1 Answers1

0

The default-target-url attribute defines the page where the user is redirected in case of a successful login. Usually it is the home page of your application. You have default-target-url="/login", so it redirects you back to the login page after a successful login.

I do not understand the meaning of the ANONYMOUS role in you example. If it is the build-in role for anonymous users, I think it is called ROLE_ANONYMOUS. In this case you probably use it incorrectly, and these two lines:

<security:intercept-url pattern="/js/**" access="hasRole('ANONYMOUS')" />
<security:intercept-url pattern="/css/**" access="hasRole('ANONYMOUS')" />

should be replaced with something like this:

<security:intercept-url pattern="/js/**" access="hasRole('ROLE_ANONYMOUS') or hasRole('ROLE_USER')" />
<security:intercept-url pattern="/css/**" access="hasRole('ROLE_ANONYMOUS') or hasRole('ROLE_USER')" />

Otherwise unauthontificated users ONLY will be able to access the /js/ and /css/ directories.

ROLE_USER in not a build-in role, it is a role that you define manually for all authenticated users.

See also:

What is the difference between ROLE_USER and ROLE_ANONYMOUS

The Spring Security Reference: Anonymous Authentication

Community
  • 1
  • 1
Alexey
  • 2,542
  • 4
  • 31
  • 53