SEC-1901: Forwarding to /j_spring_security_check results in 404 #2131

Closed
spring-issuemaster opened this Issue Jan 29, 2012 · 7 comments

2 participants

@spring-issuemaster

Brad Chen (Migrated from SEC-1901) said:

In a JSF environment, RequestDispatcher is used to forward request to /j_spring_security_check to do user login. In Spring Security 3.1.0, doing so results in 404 error. The same code works fine with 3.0.7.

Currently I use a custom filter to invoke UsernamePasswordAuthenticationFilter directly to work around the problem. As such, I suspect FilterChainProxy is not run when the request is forwarded.

@spring-issuemaster

Luke Taylor said:

Are you applying the security filter chain to forwarded requests in your web.xml configuration?

@spring-issuemaster

Brad Chen said:

Yes, FORWARD is one of the dispatchers for the filter. The code works in 3.0.7 but not in 3.1.0.

@spring-issuemaster

Luke Taylor said:

Sorry, but it's pretty hard to know what's going on without more details. Could you provide a sample app which reproduces the issue? Or some the debug log from the point where the request is forwarded. It may also depend on the container you're running in.

@spring-issuemaster

Brad Chen said:

sample app

@spring-issuemaster

Brad Chen said:

The sample app has been attached. It seems that the problem occurs when is enabled in security.xml. When it's removed, the app works fine.

The user of the sample app is admin/admin.

@spring-issuemaster

Rob Winch said:

Thanks for the good example project. The issue was that DebugFilter extended OncePerRequestFilter which will only be invoked once per request (i.e. it skips being invoked on the FORWARD). I have made updates in master to correct the issue.

@spring-issuemaster

Rob Winch said:

Changed to namespace since the DebugFilter is in config jar not the web jar

@spring-issuemaster spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment