Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2029: j_spring_security_check in https #2247

Closed
spring-issuemaster opened this issue Aug 9, 2012 · 4 comments
Closed

SEC-2029: j_spring_security_check in https #2247

spring-issuemaster opened this issue Aug 9, 2012 · 4 comments

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented Aug 9, 2012

sreekanth (Migrated from SEC-2029) said:

Its totally weird that, when i turn on https for j_spring_security_check, i can't able to login it shows the following security error message

Authentication method not supported: GET

my login page method attribute is post only, when i checked the network log it shows.

Request URL:http://localhost:8080/sample-web/j_spring_security_check
Request Method:POST
Status Code:302 Moved Temporarily
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:31
Content-Type:application/x-www-form-urlencoded
Cookie:JSESSIONID=277928532DA516449D8FC8D4843F4C92
Host:localhost:8080
Origin:http://localhost:8080
Referer:http://localhost:8080/sample-web/login
User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.0 Safari/537.4
Form Dataview URL encoded
j_username:xyz
j_password:xyzpass
Response Headersview source
Content-Length:0
Date:Thu, 09 Aug 2012 09:59:38 GMT
Location:https://localhost:8443/sample-web/j_spring_security_check
Server:Apache-Coyote/1.1

Basically when i submit my page /j_spring_security_check is saying HTTP status 302.

following is my security context xml's http config part

<http use-expressions="true">
        <form-login login-page="/login" default-target-url="/" />
        <http-basic />
        <logout logout-success-url="/login" />
        <intercept-url pattern="/login*" access="isAnonymous()" />
        <intercept-url pattern="/resources/**" access="isAnonymous()"/>
        <intercept-url pattern="/j_spring_security_check" access="isAnonymous()" requires-channel="https" method="POST"/>
        <intercept-url pattern="/collection/**" access="USER" requires-channel="https"/>
        <intercept-url pattern="/**" access="hasAnyRole('USER','ADMIN')" />
    </http>
@spring-issuemaster
Copy link
Author

@spring-issuemaster spring-issuemaster commented Aug 9, 2012

Rob Winch said:

This is a setup issue with the application and not a bug. Here is what is happening:

  • The user submits their username and password over HTTP to POST /j_spring_security_check Notice at this point your user's credentials have already been compromised because they have been submitted over HTTP instead of HTTPS.
  • Spring Security notices that the request is over HTTP and correctly sends a redirect (302) to the browser to request the HTTPS URL.
  • The browser follows the 302 to GET /j_spring_security_check as expected and produces the error you are seeing

There could be ways to mitigate the symptom of this bad configuration, but the real problem is that you should not submit the username and password over HTTP. The log in page should be configured to submit the username and password over HTTPS from the start. I would strongly recommend you use HTTPS throughout the entire application as switching between the two causes issues with session management and other security vulnerabilities.

@spring-issuemaster
Copy link
Author

@spring-issuemaster spring-issuemaster commented Aug 9, 2012

sreekanth said:

Thanks for explaining Rob, but i doubt this is not that simple like you have explained, because when try it in IE, Mozilla it works for the first time then failed.

When i used as below (just like you explained), its coming back with no error but to the same login page.

<intercept-url pattern="/login*" access="isAnonymous()" requires-channel="https"/>
        <intercept-url pattern="/j_spring_security_check" access="isAnonymous()" requires-channel="https"/>
        <intercept-url pattern="/collections/**" access="USER" requires-channel="https"/>
        <intercept-url pattern="/**" access="hasAnyRole('USER','ADMIN')" requires-channel="http"/>

Here is my log file from accessing the site http://localhost:8080/sample-web/

2012-08-09 20:29:10,420 215277 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 1 of 11 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
2012-08-09 20:29:10,421 215278 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-8:) Checking match of request : '/'; against '/login*'
2012-08-09 20:29:10,421 215278 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-8:) Checking match of request : '/'; against '/j_spring_security_check'
2012-08-09 20:29:10,421 215278 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-8:) Checking match of request : '/'; against '/collections/**'
2012-08-09 20:29:10,422 215279 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-8:) Request '/' matched by universal pattern '/**'
2012-08-09 20:29:10,422 215279 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] ("http-bio-8080"-exec-8:) Request: FilterInvocation: URL: /; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
2012-08-09 20:29:10,422 215279 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2012-08-09 20:29:10,422 215279 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-bio-8080"-exec-8:) No HttpSession currently exists
2012-08-09 20:29:10,422 215279 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-bio-8080"-exec-8:) No SecurityContext was available from the HttpSession: null. A new one will be created.
2012-08-09 20:29:10,423 215280 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2012-08-09 20:29:10,423 215280 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2012-08-09 20:29:10,423 215280 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2012-08-09 20:29:10,423 215280 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2012-08-09 20:29:10,423 215280 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2012-08-09 20:29:10,423 215280 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2012-08-09 20:29:10,423 215280 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] ("http-bio-8080"-exec-8:) Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2012-08-09 20:29:10,423 215280 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2012-08-09 20:29:10,424 215281 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2012-08-09 20:29:10,424 215281 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-8:) / at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2012-08-09 20:29:10,424 215281 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-8:) Checking match of request : '/'; against '/resources/**'
2012-08-09 20:29:10,424 215281 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-8:) Checking match of request : '/'; against '/login*'
2012-08-09 20:29:10,424 215281 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-8:) Checking match of request : '/'; against '/j_spring_security_check'
2012-08-09 20:29:10,424 215281 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-8:) Checking match of request : '/'; against '/collections/**'
2012-08-09 20:29:10,424 215281 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-bio-8080"-exec-8:) Secure object: FilterInvocation: URL: /; Attributes: [hasAnyRole('USER','ADMIN')]
2012-08-09 20:29:10,424 215281 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-bio-8080"-exec-8:) Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2012-08-09 20:29:10,425 215282 DEBUG [org.springframework.security.access.vote.AffirmativeBased] ("http-bio-8080"-exec-8:) Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3dfa7c, returned: -1
2012-08-09 20:29:10,425 215282 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] ("http-bio-8080"-exec-8:) Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
    at java.lang.Thread.run(Thread.java:619)
2012-08-09 20:29:10,426 215283 DEBUG [org.springframework.security.web.savedrequest.HttpSessionRequestCache] ("http-bio-8080"-exec-8:) DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/bank-payment-web/]
2012-08-09 20:29:10,427 215284 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] ("http-bio-8080"-exec-8:) Calling Authentication entry point.
2012-08-09 20:29:10,427 215284 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] ("http-bio-8080"-exec-8:) Redirecting to 'http://localhost:8080/bank-payment-web/login;jsessionid=E0A69703676F41A4A85BBE68EC21098F'
2012-08-09 20:29:10,427 215284 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-bio-8080"-exec-8:) SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2012-08-09 20:29:10,427 215284 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] ("http-bio-8080"-exec-8:) SecurityContextHolder now cleared, as request processing completed
2012-08-09 20:29:10,435 215292 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-9:) /login at position 1 of 11 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
2012-08-09 20:29:10,436 215293 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-9:) Checking match of request : '/login'; against '/login*'
2012-08-09 20:29:10,436 215293 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] ("http-bio-8080"-exec-9:) Request: FilterInvocation: URL: /login; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
2012-08-09 20:29:10,436 215293 DEBUG [org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint] ("http-bio-8080"-exec-9:) Redirecting to: https://localhost:8443/bank-payment-web/login;jsessionid=E0A69703676F41A4A85BBE68EC21098F
2012-08-09 20:29:10,436 215293 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] ("http-bio-8080"-exec-9:) Redirecting to 'https://localhost:8443/bank-payment-web/login;jsessionid=E0A69703676F41A4A85BBE68EC21098F'
2012-08-09 20:29:10,445 215302 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 1 of 11 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
2012-08-09 20:29:10,448 215305 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-nio-8443"-exec-3:) Checking match of request : '/login'; against '/login*'
2012-08-09 20:29:10,448 215305 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] ("http-nio-8443"-exec-3:) Request: FilterInvocation: URL: /login; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
2012-08-09 20:29:10,448 215305 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2012-08-09 20:29:10,448 215305 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-nio-8443"-exec-3:) HttpSession returned null object for SPRING_SECURITY_CONTEXT
2012-08-09 20:29:10,448 215305 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-nio-8443"-exec-3:) No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@150c2b0. A new one will be created.
2012-08-09 20:29:10,448 215305 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2012-08-09 20:29:10,448 215305 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2012-08-09 20:29:10,449 215306 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2012-08-09 20:29:10,449 215306 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2012-08-09 20:29:10,449 215306 DEBUG [org.springframework.security.web.savedrequest.DefaultSavedRequest] ("http-nio-8443"-exec-3:) pathInfo: both null (property equals)
2012-08-09 20:29:10,454 215311 DEBUG [org.springframework.security.web.savedrequest.DefaultSavedRequest] ("http-nio-8443"-exec-3:) queryString: both null (property equals)
2012-08-09 20:29:10,454 215311 DEBUG [org.springframework.security.web.savedrequest.DefaultSavedRequest] ("http-nio-8443"-exec-3:) requestURI: arg1=/bank-payment-web/; arg2=/bank-payment-web/login;jsessionid=E0A69703676F41A4A85BBE68EC21098F (property not equals)
2012-08-09 20:29:10,454 215311 DEBUG [org.springframework.security.web.savedrequest.HttpSessionRequestCache] ("http-nio-8443"-exec-3:) saved request doesn't match
2012-08-09 20:29:10,454 215311 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2012-08-09 20:29:10,454 215311 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2012-08-09 20:29:10,454 215311 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] ("http-nio-8443"-exec-3:) Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9054b1a2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: E0A69703676F41A4A85BBE68EC21098F; Granted Authorities: ROLE_ANONYMOUS'
2012-08-09 20:29:10,454 215311 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2012-08-09 20:29:10,455 215312 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2012-08-09 20:29:10,455 215312 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2012-08-09 20:29:10,455 215312 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-nio-8443"-exec-3:) Checking match of request : '/login'; against '/resources/**'
2012-08-09 20:29:10,455 215312 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-nio-8443"-exec-3:) Checking match of request : '/login'; against '/login*'
2012-08-09 20:29:10,455 215312 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-nio-8443"-exec-3:) Secure object: FilterInvocation: URL: /login; Attributes: [isAnonymous()]
2012-08-09 20:29:10,455 215312 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-nio-8443"-exec-3:) Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9054b1a2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: E0A69703676F41A4A85BBE68EC21098F; Granted Authorities: ROLE_ANONYMOUS
2012-08-09 20:29:10,456 215313 DEBUG [org.springframework.security.access.vote.AffirmativeBased] ("http-nio-8443"-exec-3:) Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3dfa7c, returned: 1
2012-08-09 20:29:10,456 215313 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-nio-8443"-exec-3:) Authorization successful
2012-08-09 20:29:10,456 215313 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-nio-8443"-exec-3:) RunAsManager did not change Authentication object
2012-08-09 20:29:10,456 215313 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-3:) /login reached end of additional filter chain; proceeding with original chain
2012-08-09 20:29:10,456 215313 DEBUG [org.springframework.web.servlet.DispatcherServlet] ("http-nio-8443"-exec-3:) DispatcherServlet with name 'spring3' processing GET request for [/bank-payment-web/login]
2012-08-09 20:29:10,456 215313 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] ("http-nio-8443"-exec-3:) Looking up handler method for path /login
2012-08-09 20:29:10,456 215313 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] ("http-nio-8443"-exec-3:) Returning handler method [public java.lang.String org.egov.bp.home.HomeController.showLogin(java.util.Locale,org.springframework.ui.Model)]
2012-08-09 20:29:10,457 215314 DEBUG [org.springframework.web.servlet.DispatcherServlet] ("http-nio-8443"-exec-3:) Last-Modified value for [/bank-payment-web/login] is: -1
2012-08-09 20:29:10,458 215315 INFO  [org.egov.bp.home.HomeController] ("http-nio-8443"-exec-3:) Welcome home! the client locale is en
2012-08-09 20:29:10,458 215315 DEBUG [org.springframework.web.servlet.DispatcherServlet] ("http-nio-8443"-exec-3:) Rendering view [org.springframework.web.servlet.view.tiles2.TilesView: name 'login'; URL [login]] in DispatcherServlet with name 'spring3'
2012-08-09 20:29:10,461 215318 DEBUG [org.springframework.web.servlet.DispatcherServlet] ("http-nio-8443"-exec-3:) Successfully completed request
2012-08-09 20:29:10,461 215318 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] ("http-nio-8443"-exec-3:) Chain processed normally
2012-08-09 20:29:10,461 215318 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-nio-8443"-exec-3:) SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2012-08-09 20:29:10,461 215318 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] ("http-nio-8443"-exec-3:) SecurityContextHolder now cleared, as request processing completed
2012-08-09 20:29:17,599 222456 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-1:) /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
2012-08-09 20:29:17,613 222470 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-nio-8443"-exec-1:) Checking match of request : '/j_spring_security_check'; against '/login*'
2012-08-09 20:29:17,613 222470 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-nio-8443"-exec-1:) Checking match of request : '/j_spring_security_check'; against '/j_spring_security_check'
2012-08-09 20:29:17,613 222470 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] ("http-nio-8443"-exec-1:) Request: FilterInvocation: URL: /j_spring_security_check; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
2012-08-09 20:29:17,613 222470 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-1:) /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2012-08-09 20:29:17,614 222471 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-nio-8443"-exec-1:) HttpSession returned null object for SPRING_SECURITY_CONTEXT
2012-08-09 20:29:17,614 222471 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-nio-8443"-exec-1:) No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@150c2b0. A new one will be created.
2012-08-09 20:29:17,614 222471 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-1:) /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2012-08-09 20:29:17,614 222471 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-1:) /j_spring_security_check at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2012-08-09 20:29:17,614 222471 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] ("http-nio-8443"-exec-1:) Request is to process authentication
2012-08-09 20:29:17,614 222471 DEBUG [org.springframework.security.authentication.ProviderManager] ("http-nio-8443"-exec-1:) Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2012-08-09 20:29:17,662 222519 DEBUG [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy] ("http-nio-8443"-exec-1:) Invalidating session with Id 'E0A69703676F41A4A85BBE68EC21098F' and migrating attributes.
2012-08-09 20:29:17,662 222519 DEBUG [org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy] ("http-nio-8443"-exec-1:) Started new session: 979423B4D4BD668476314564D6B70DEA
2012-08-09 20:29:17,662 222519 DEBUG [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] ("http-nio-8443"-exec-1:) Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fc6dd75a: Principal: org.springframework.security.core.userdetails.User@2f7a09: Username: egov; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: E0A69703676F41A4A85BBE68EC21098F; Granted Authorities: ADMIN, USER
2012-08-09 20:29:17,663 222520 DEBUG [org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler] ("http-nio-8443"-exec-1:) Redirecting to DefaultSavedRequest Url: http://localhost:8080/bank-payment-web/
2012-08-09 20:29:17,663 222520 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] ("http-nio-8443"-exec-1:) Redirecting to 'http://localhost:8080/bank-payment-web/'
2012-08-09 20:29:17,663 222520 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-nio-8443"-exec-1:) SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@fc6dd75a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@fc6dd75a: Principal: org.springframework.security.core.userdetails.User@2f7a09: Username: egov; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ADMIN,USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: E0A69703676F41A4A85BBE68EC21098F; Granted Authorities: ADMIN, USER'
2012-08-09 20:29:17,663 222520 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] ("http-nio-8443"-exec-1:) SecurityContextHolder now cleared, as request processing completed
2012-08-09 20:29:17,669 222526 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 1 of 11 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
2012-08-09 20:29:17,669 222526 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-10:) Checking match of request : '/'; against '/login*'
2012-08-09 20:29:17,669 222526 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-10:) Checking match of request : '/'; against '/j_spring_security_check'
2012-08-09 20:29:17,669 222526 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-10:) Checking match of request : '/'; against '/collections/**'
2012-08-09 20:29:17,669 222526 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-10:) Request '/' matched by universal pattern '/**'
2012-08-09 20:29:17,669 222526 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] ("http-bio-8080"-exec-10:) Request: FilterInvocation: URL: /; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
2012-08-09 20:29:17,669 222526 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2012-08-09 20:29:17,669 222526 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-bio-8080"-exec-10:) No HttpSession currently exists
2012-08-09 20:29:17,670 222527 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-bio-8080"-exec-10:) No SecurityContext was available from the HttpSession: null. A new one will be created.
2012-08-09 20:29:17,670 222527 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2012-08-09 20:29:17,670 222527 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2012-08-09 20:29:17,670 222527 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2012-08-09 20:29:17,670 222527 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2012-08-09 20:29:17,670 222527 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2012-08-09 20:29:17,670 222527 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2012-08-09 20:29:17,670 222527 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] ("http-bio-8080"-exec-10:) Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2012-08-09 20:29:17,673 222530 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2012-08-09 20:29:17,673 222530 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2012-08-09 20:29:17,673 222530 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) / at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2012-08-09 20:29:17,673 222530 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-10:) Checking match of request : '/'; against '/resources/**'
2012-08-09 20:29:17,673 222530 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-10:) Checking match of request : '/'; against '/login*'
2012-08-09 20:29:17,673 222530 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-10:) Checking match of request : '/'; against '/j_spring_security_check'
2012-08-09 20:29:17,673 222530 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-10:) Checking match of request : '/'; against '/collections/**'
2012-08-09 20:29:17,674 222531 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-bio-8080"-exec-10:) Secure object: FilterInvocation: URL: /; Attributes: [hasAnyRole('USER','ADMIN')]
2012-08-09 20:29:17,674 222531 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-bio-8080"-exec-10:) Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2012-08-09 20:29:17,674 222531 DEBUG [org.springframework.security.access.vote.AffirmativeBased] ("http-bio-8080"-exec-10:) Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3dfa7c, returned: -1
2012-08-09 20:29:17,674 222531 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] ("http-bio-8080"-exec-10:) Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
    at java.lang.Thread.run(Thread.java:619)
2012-08-09 20:29:17,679 222536 DEBUG [org.springframework.security.web.savedrequest.HttpSessionRequestCache] ("http-bio-8080"-exec-10:) DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/bank-payment-web/]
2012-08-09 20:29:17,679 222536 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] ("http-bio-8080"-exec-10:) Calling Authentication entry point.
2012-08-09 20:29:17,679 222536 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] ("http-bio-8080"-exec-10:) Redirecting to 'http://localhost:8080/bank-payment-web/login;jsessionid=E57CC687EDDC97732EE88059B8614BEB'
2012-08-09 20:29:17,679 222536 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-bio-8080"-exec-10:) SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2012-08-09 20:29:17,680 222537 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] ("http-bio-8080"-exec-10:) SecurityContextHolder now cleared, as request processing completed
2012-08-09 20:29:17,709 222566 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-bio-8080"-exec-10:) /login at position 1 of 11 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
2012-08-09 20:29:17,710 222567 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-bio-8080"-exec-10:) Checking match of request : '/login'; against '/login*'
2012-08-09 20:29:17,710 222567 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] ("http-bio-8080"-exec-10:) Request: FilterInvocation: URL: /login; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
2012-08-09 20:29:17,710 222567 DEBUG [org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint] ("http-bio-8080"-exec-10:) Redirecting to: https://localhost:8443/bank-payment-web/login;jsessionid=E57CC687EDDC97732EE88059B8614BEB
2012-08-09 20:29:17,710 222567 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] ("http-bio-8080"-exec-10:) Redirecting to 'https://localhost:8443/bank-payment-web/login;jsessionid=E57CC687EDDC97732EE88059B8614BEB'
2012-08-09 20:29:17,714 222571 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 1 of 11 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
2012-08-09 20:29:17,714 222571 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-nio-8443"-exec-2:) Checking match of request : '/login'; against '/login*'
2012-08-09 20:29:17,715 222572 DEBUG [org.springframework.security.web.access.channel.ChannelProcessingFilter] ("http-nio-8443"-exec-2:) Request: FilterInvocation: URL: /login; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
2012-08-09 20:29:17,715 222572 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2012-08-09 20:29:17,715 222572 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-nio-8443"-exec-2:) HttpSession returned null object for SPRING_SECURITY_CONTEXT
2012-08-09 20:29:17,715 222572 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-nio-8443"-exec-2:) No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@1051c99. A new one will be created.
2012-08-09 20:29:17,715 222572 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2012-08-09 20:29:17,715 222572 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2012-08-09 20:29:17,715 222572 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2012-08-09 20:29:17,715 222572 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.savedrequest.DefaultSavedRequest] ("http-nio-8443"-exec-2:) pathInfo: both null (property equals)
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.savedrequest.DefaultSavedRequest] ("http-nio-8443"-exec-2:) queryString: both null (property equals)
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.savedrequest.DefaultSavedRequest] ("http-nio-8443"-exec-2:) requestURI: arg1=/bank-payment-web/; arg2=/bank-payment-web/login;jsessionid=E57CC687EDDC97732EE88059B8614BEB (property not equals)
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.savedrequest.HttpSessionRequestCache] ("http-nio-8443"-exec-2:) saved request doesn't match
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] ("http-nio-8443"-exec-2:) Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa90ed4: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: E57CC687EDDC97732EE88059B8614BEB; Granted Authorities: ROLE_ANONYMOUS'
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2012-08-09 20:29:17,716 222573 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-nio-8443"-exec-2:) Checking match of request : '/login'; against '/resources/**'
2012-08-09 20:29:17,717 222574 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] ("http-nio-8443"-exec-2:) Checking match of request : '/login'; against '/login*'
2012-08-09 20:29:17,717 222574 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-nio-8443"-exec-2:) Secure object: FilterInvocation: URL: /login; Attributes: [isAnonymous()]
2012-08-09 20:29:17,717 222574 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-nio-8443"-exec-2:) Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa90ed4: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: E57CC687EDDC97732EE88059B8614BEB; Granted Authorities: ROLE_ANONYMOUS
2012-08-09 20:29:17,717 222574 DEBUG [org.springframework.security.access.vote.AffirmativeBased] ("http-nio-8443"-exec-2:) Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3dfa7c, returned: 1
2012-08-09 20:29:17,717 222574 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-nio-8443"-exec-2:) Authorization successful
2012-08-09 20:29:17,717 222574 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] ("http-nio-8443"-exec-2:) RunAsManager did not change Authentication object
2012-08-09 20:29:17,717 222574 DEBUG [org.springframework.security.web.FilterChainProxy] ("http-nio-8443"-exec-2:) /login reached end of additional filter chain; proceeding with original chain
2012-08-09 20:29:17,717 222574 DEBUG [org.springframework.web.servlet.DispatcherServlet] ("http-nio-8443"-exec-2:) DispatcherServlet with name 'spring3' processing GET request for [/bank-payment-web/login]
2012-08-09 20:29:17,717 222574 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] ("http-nio-8443"-exec-2:) Looking up handler method for path /login
2012-08-09 20:29:17,718 222575 DEBUG [org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping] ("http-nio-8443"-exec-2:) Returning handler method [public java.lang.String org.egov.bp.home.HomeController.showLogin(java.util.Locale,org.springframework.ui.Model)]
2012-08-09 20:29:17,718 222575 DEBUG [org.springframework.web.servlet.DispatcherServlet] ("http-nio-8443"-exec-2:) Last-Modified value for [/bank-payment-web/login] is: -1
2012-08-09 20:29:17,718 222575 INFO  [org.egov.bp.home.HomeController] ("http-nio-8443"-exec-2:) Welcome home! the client locale is en
2012-08-09 20:29:17,718 222575 DEBUG [org.springframework.web.servlet.DispatcherServlet] ("http-nio-8443"-exec-2:) Rendering view [org.springframework.web.servlet.view.tiles2.TilesView: name 'login'; URL [login]] in DispatcherServlet with name 'spring3'
2012-08-09 20:29:17,724 222581 DEBUG [org.springframework.web.servlet.DispatcherServlet] ("http-nio-8443"-exec-2:) Successfully completed request
2012-08-09 20:29:17,724 222581 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] ("http-nio-8443"-exec-2:) Chain processed normally
2012-08-09 20:29:17,724 222581 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] ("http-nio-8443"-exec-2:) SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2012-08-09 20:29:17,724 222581 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] ("http-nio-8443"-exec-2:) SecurityContextHolder now cleared, as request processing completed

@spring-issuemaster
Copy link
Author

@spring-issuemaster spring-issuemaster commented Aug 9, 2012

Rob Winch said:

<intercept-url pattern="/**" access="hasAnyRole('USER','ADMIN')" requires-channel="http"/>

You are switching between HTTP and HTTPS still. Refer to the links I provided for reasons why this will not work.

@spring-issuemaster
Copy link
Author

@spring-issuemaster spring-issuemaster commented Aug 9, 2012

sreekanth said:

Thanks Rob, i got your point... Since HTTPS have some performance trade-off, we have planned to make some secure url to be HTTPS and others in HTTP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.