SEC-1441: Additional GET /j_spring_security_check request issued after authentication causes remember me cookie to be removed #1678

Closed
spring-issuemaster opened this Issue Mar 17, 2010 · 8 comments

1 participant

@spring-issuemaster

Taylor Leese (Migrated from SEC-1441) said:

I've been trying to track down why Spring Security isn't creating the Spring Security remember me cookie in my application. However, based on what I see via the HTTP headers the cookie is being set it's just that there is an additional GET request for /j_spring_security_check that is causing the exception below. This also results in the cookie being removed. Note, in the attached log is also shows the initial post to /j_spring_security_check (and authentication) was successful. I'm unclear what is causing the additional GET /j_spring_security_check request. Any ideas what is going on?

Here is the debug log information (also attached):

Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter doFilter
FINE: Request is to process authentication
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
FINE: Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
FINE: Updated SecurityContextHolder to contain null Authentication
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
FINE: Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@4196c16
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices loginFail
FINE: Interactive login attempt was unsuccessful.
Mar 17, 2010 10:38:35 AM org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices cancelCookie
FINE: Cancelling cookie

Here are the HTTP headers for the sequence of events:

http://localhost:8080/j_spring_security_check

POST /j_spring_security_check HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/app/login
Cookie: JSESSIONID=15t2gq1vo5noj
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
j_username=test%40test.com&j_password=test&_spring _security_remember_me=on&submit=Submit
HTTP/1.1 302 Found
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=1dymxpkh13z32;Path=/
Set-Cookie: SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q;Path=/;Expires=Wed, 31-Mar-10 10:52:07 GMT
Location: http://localhost:8080/app/helloWorld
Content-Length: 0

Server: Jetty(6.1.x)

http://localhost:8080/app/helloWorld

GET /app/helloWorld HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/app/login
Cookie: JSESSIONID=1dymxpkh13z32; SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q

HTTP/1.1 200 OK
Content-Language: en-US
Content-Type: text/html
Content-Length: 526

Server: Jetty(6.1.x)

http://localhost:8080/j_spring_security_check

GET /j_spring_security_check HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: JSESSIONID=1dymxpkh13z32; SPRING_SECURITY_REMEMBER_ME_COOKIE=U05kS2NTakNIZTN Dd0hFcWxqZXRUQT09Oi90M3Q0NTA1czhxSjRadTQ5NW5FQVE9P Q

HTTP/1.1 302 Found
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SPRING_SECURITY_REMEMBER_ME_COOKIE=;Path=/;Expires=Thu, 01 Jan 1970 00:00:00 GMT
Location: http://localhost:8080/app/login?login_error=1
Content-Length: 0

Server: Jetty(6.1.x)

http://localhost:8080/app/login?login_error=1

GET /app/login?login_error=1 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: JSESSIONID=1dymxpkh13z32

HTTP/1.1 200 OK
Content-Language: en-US
Content-Type: text/html
Content-Length: 928

Server: Jetty(6.1.x)

@spring-issuemaster

Luke Taylor said:

If your browser is issuing a GET request, then either you are sending it for some reason (because you aren't using a POST in your login form) or there is a redirect to that URL being sent by mistake. The latter case would be a bug, but there is no evidence for that in the responses you have shown here. You are best placed to debug the requests your browser sends and the dialogue which causes them. Please debug the setup and work out whether the request is sent. You haven't indicated whether it is the result of user action or not, but that should be easy to establish.

Either that or post a complete sample which reproduces the problem.

@spring-issuemaster

Taylor Leese said:

My login form looks like this. There's no where in my app where I issue the GET request for j_spring_security_check.

    <form action="/j_spring_security_check" method="post">
        <table>
            <tr><td>Username:</td><td><input type='text' name='j_username' value='<c:if test="${not empty param.login_error}"><c:out value="${SPRING_SECURITY_LAST_USERNAME}" /></c:if>'/></td></tr>
            <tr><td>Password:</td><td><input type='password' name='j_password' /></td></tr>
            <tr><td>Keep me logged in:</td><td><input type='checkbox' name='_spring_security_remember_me' /></td></tr>
            <tr><td><input name="submit" type="submit" value="Submit" /></td><td><input name="reset" type="reset" value="Reset" /></td></tr>
        </table>
    </form>
@spring-issuemaster

Taylor Leese said:

I can send you the .war file causing the problem, but I'd prefer to not post it in the JIRA issue. Is there an address I can e-mail it to?

@spring-issuemaster

Taylor Leese said:

The sequence of requests I posted the HTTP headers for happen after clicking submit on the login form (1 user action). You can see the initial post in the headers.

@spring-issuemaster

Luke Taylor said:

So you get a 200 for your GET /app/helloWorld HTTP/1.1 and the additional response is immediately after that? That would imply that the request comes from that page. Please debug that request. It also doesn't appear to match the log.

@spring-issuemaster

Taylor Leese said:

The log shows a slightly different scenario where the user is redirected back to "/" rather than "/app/helloWorld" after a successful login and it demonstrates the same problem. There is no GET request for j_spring_security_check on either of these pages. The only time j_spring_security_check is referenced in my application is in the form post. What else could be causing the additional GET request?

@spring-issuemaster

Taylor Leese said:

I think I just figured this out. I tried to reproduce the same issue in IE and I wasn't able to so I did some more investigation and it appears that when Firebug is open in Firefox the additional GET request appears in the headers. If I don't have Firebug open when I login then there is no additional GET request and the remember cookie still exists. I'd have to say this is an issue with Firebug at this point. I'm using Firefox 3.6 and Firebug 1.5.3. Have you ever heard of Firebug causing problems with the remember me cookie?

@spring-issuemaster

Luke Taylor said:

No, I'm not aware of anything firebug related.

Closing, as it's highly unlikely this is a Spring Security issue.

@spring-issuemaster spring-issuemaster added this to the 3.0.3 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment