SEC-1633: jsp:forward goes into a loop #1873

spring-issuemaster opened this Issue Dec 4, 2010 · 4 comments

1 participant


Pronab Saha (Migrated from SEC-1633) said:

I wanted to upgrade to Spring Security 2.0.6 from Spring Security 2.0.5. That is upgrade one minor version up. I use struts 1.3.10. When I replaced the 4 jar files with the ones from 2.0.6, I started getting strange error messages from Struts saying that no action path could be found.

The following are the 4 jars that I replace with the 2.0.6 versions.

After trying various things unsuccessfully, I decided to create a bare bones functional project and try my upgrade there.

What I discovered is that 2.0.6 appears to have problems dealing with jsp forward. In 2.0.5 things work fine but 2.0.6 things go into a loop while running inside of Eclipse/Tomcat 5.5.

I create a fresh Eclipse Dynamic Web project. I add an index.jsp which has one line to perform a jsp:forward to another .jsp page. I tested with no Spring and it works as expected. I then introduce Spring Security 2.0.5 and Spring 2.5.5 into the mix and things still work as expected. (Index.jsp has intercept-url has filters=none).

I then replace the above mentioned 4 files with the 2.0.6 versions. Then when I try to navigate to the index.jsp via browser (Fire Fox 3.6.12), the tomcat server goes into a loop spewing out a very large stack trace.

I'm attaching the eclipse project as well as the tomcat log file.

The main reason I wanted to upgrade to 2.0.6 is because for some reason, I am not able to get "access-denied-page" attribute to work on the http element.


Luke Taylor said:

This is a duplicate of the issue reported as SEC-1606. You can follow the workaround which is described in that issue.


Pronab Saha said:

I've consulted SEC 1606, SEC 1614, and SEC 1608 and tried the following three approaches. One works and the other two did not work for me.

a) modify the index.jsp from having filters="none" to access="ROLE_ANONYMOUS, ROLE_USER". This works. The jsp:forward no longer goes into a loop.

b) Keep filters="none" for index.jsp. Use the http-firewall element and the firewall class as commented by Rob Winch on 8/Nov/10 2:50 PM on SEC 1606. This does not appear to work for me. I get similar behaviour as before.

c) I tried to get approach number #2 from SEC 1608 to work. However, I am don't think I am setting it up correctly. I created a filter and tried to configure it in the application contect file as below. It also went in a loop when using filters="none" for the /index.jsp

The relevant portion of the WorkaroundFilter looks like below

public class WorkaroundFilter implements Filter {

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
while (request instanceof ServletRequestWrapper) {
if (request instanceof FirewalledRequest) {
((FirewalledRequest) request).reset();
request = ((ServletRequestWrapper) request).getRequest();



Luke Taylor said:

You have to add the filter in web.xml. Adding it to the security filters has no effect since you are bypassing them by using filters="none".

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016

This issue duplicates #1846

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment