j_spring_security_check 404 issue

Question

I am trying to get my spring + hibernate + spring-security and tiles2 - "HelloWorld" application to work, following this guide (its in german unfortunately).

My problem is that I get a "404" error message when logging into my application. Redirection to the login page works as intended, but I can't reach "http://localhost:8080/App/j_spring_security_check" when I hit the login button.

My web.xml looks this way:

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/defs/applicationContext.xml
        /WEB-INF/defs/applicationContext-security.xml
    </param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name> 
  <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

and applicationContext-security.xml file looks this way ...

<http use-expressions="true">
    <intercept-url pattern="/index.html" access="permitAll" />
    <intercept-url pattern="/timeout.html" access="permitAll" />
    <intercept-url pattern="/redirect.html" access="permitAll" />
    <intercept-url pattern="/media/**" access="permitAll" />
    <intercept-url pattern="/includes/**" access="permitAll" />
    <intercept-url pattern="/office/**" access="hasRole('ROLE_USER')" />
    <intercept-url pattern="/office/admin/**" access="hasRole('ROLE_ADMIN')" />

    <form-login login-page="/index.html" 
            authentication-failure-url="/index.html?login_error=1"
            default-target-url='/office/kunden.html'
            always-use-default-target='true'
            />
    <logout logout-success-url="/index.html" />
    <remember-me />
    <session-management invalid-session-url="/index.html">
        <concurrency-control max-sessions="2" error-if-maximum-exceeded="true" />
    </session-management>
</http>

<authentication-manager>
    <authentication-provider>
        <jdbc-user-service data-source-ref="mysqldataSource" 
                    authorities-by-username-query="select username, authority from benutzer where username = ?"
                    users-by-username-query="select username, password, enabled from benutzer where username = ?"/>
    </authentication-provider>
</authentication-manager>

The database connection seems to be O.K.

I would be very glad if someone could give me a hint on that, because I already did a lot of googling, but didn't find a solution yet.

I use spring 3.1 and tomcat 7.0.23

Answer 1

I would check two things:

1. Request dispatch
2. Spring-security config

To check request dispatch just make sure that your application is accessible in the servlet container in the first place. Meaning, you have mentioned http://localhost:8080/App/j_spring_security_check. Is your application accessible under that URL? Does http://localhost:8080/App show proper content (HTTP 200)? Also make sure that dispatcher servlet is configured properly. In tutorial you have provided, there is this section:

  <!--  Spring Hauptteil -->

  <servlet>
      <servlet-name>spring</servlet-name>
      <servlet-class>
          org.springframework.web.servlet.DispatcherServlet
      </servlet-class>
      <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
      <servlet-name>spring</servlet-name>
      <url-pattern>*.html</url-pattern>
  </servlet-mapping>

If you have not provided it in your web.xml, then your request might not even be dispatched properly before it ends up being examined via spring-security.

If this doesn't help you, try this.

Following documentation, the minimal configuration should be enough to check if your setup is correct. If you have followed tutorial, you might make some minor mistake (typeo, for instance) that will cause spring-security not to launch properly. Then it is easy to skip some error info in logger output. I suggest you do the following.

1. Change your applicationContext-security.xml to support minimal configuration provided in documentation.
2. Launch the application and go to http://localhost:8080/App/j_spring_security_check

If you get proper response - try modifying config until you are done.

Point to learn What DelegatingFilterProxy (defined in web.xml) really does is delegating request to some other filter managed by Spring's IoC. This filter is being defined in applicationContext-security via security namespace. If this won't work for some reason, the filter will not be initialized, and you may end up in seeing http 404 regardless the fact, that the rest of application starts properly.

Uffff, lots of text ;)