Brad Chen (Migrated from SEC-1901) said:
In a JSF environment, RequestDispatcher is used to forward request to /j_spring_security_check to do user login. In Spring Security 3.1.0, doing so results in 404 error. The same code works fine with 3.0.7.
Currently I use a custom filter to invoke UsernamePasswordAuthenticationFilter directly to work around the problem. As such, I suspect FilterChainProxy is not run when the request is forwarded.
Luke Taylor said:
Are you applying the security filter chain to forwarded requests in your web.xml configuration?
Brad Chen said:
Yes, FORWARD is one of the dispatchers for the filter. The code works in 3.0.7 but not in 3.1.0.
Sorry, but it's pretty hard to know what's going on without more details. Could you provide a sample app which reproduces the issue? Or some the debug log from the point where the request is forwarded. It may also depend on the container you're running in.
The sample app has been attached. It seems that the problem occurs when is enabled in security.xml. When it's removed, the app works fine.
The user of the sample app is admin/admin.
Rob Winch said:
Thanks for the good example project. The issue was that DebugFilter extended OncePerRequestFilter which will only be invoked once per request (i.e. it skips being invoked on the FORWARD). I have made updates in master to correct the issue.
Changed to namespace since the DebugFilter is in config jar not the web jar