14

I have an application that uses Spring Security 3 runs on Tomcat. I didn't define any favicon for my website however when I run my application from my IDE sometimes after I login from my login pages it redirects my page to:

http://localhost:8080/favicon.ico

and says:

404 Not Found

There is a topic here: http://forum.springsource.org/showthread.php?100901-redirect-to-favicon.ico however I didn't define a favicon.ico does Spring Security 3 wants it by default(if yes, why it happens sometimes?)

K.C.
  • 2,084
  • 2
  • 25
  • 38
kamaci
  • 72,915
  • 69
  • 228
  • 366

2 Answers2

19

Here is the explanation:

The issue is, when the browser cache is empty and a user comes in, here is what happens:

  • the user requests URL "/". This URL is cached.
  • the browser makes a requests to "/favicon.ico". This URL becomes the new URL where to redirect to upon authentication.
  • the user posts the login form and is redirected to "/favicon.ico".

To fix this, you need to set "/favicon.ico" as being a non-secured resources:

<intercept-url pattern="/favicon.ico" access="ROLE_ANONYMOUS" />

Taken from: http://blog.idm.fr/2010/09/spring-security-redirecting-to-faviconico.html

kamaci
  • 72,915
  • 69
  • 228
  • 366
  • I stumbled upon this Q&A when trying to figure this out for my Grails app. I'm using an altered URLMappings configuration to work with my AngularJS/Grails app, where Grails is mostly a REST backend. Spring Security is used for ajax auth and I've run into this issue in Chrome as well. For Grails users, add an entry into UrlMappings like: "/favicon.ico"(controller: "home", action: "ajaxSuccess") where ajaxSuccess contains a redirect to the place you might want to send the user to on auth success. – th3morg Feb 10 '14 at 20:33
  • There is a good description of this issue here: http://www.webweaver.nu/html-tips/favicon.shtml – Bob Horn Jun 12 '15 at 13:06
0

For Grails 3.0.11 & Spring Security Core 3.0.2, add "IS_AUTHENTICATED_ANONYMOUSLY" in application.groovy in the section:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
...
..
.
[pattern: '/favicon.ico',      access: ['IS_AUTHENTICATED_ANONYMOUSLY']]
]
Samuel Seda
  • 2,814
  • 1
  • 24
  • 13