Spring Security Form Login Not Identified

Question

I'm having to migrate an application from Spring Security 2 to 3.2 and I'm completely lost, I've never used spring security :(

I modified some configurations on spring-security.xml:

<http pattern="/ordreminderform.jsp" security="none" />
<http pattern="/passwordreminder.jsp" security="none" />
<http pattern="/getUser.jsp" security="none" />
<http pattern="/csra2.css" security="none" />
<http auto-config="true" access-denied-page="/accessDenied.jsp">
    <intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/index.jsp"
        access="ROLE_USER,ROLE_ADMIN,ROLE_B1,ROLE_B2,ROLE_B3" />
    <intercept-url pattern="/Users.do" access="ROLE_ADMIN" />
    <intercept-url pattern="/Project.do"
        access="ROLE_USER,ROLE_ADMIN,ROLE_B1,ROLE_B2,ROLE_B3" />
    <intercept-url pattern="/Csra.do"
        access="ROLE_USER,ROLE_ADMIN,ROLE_B1,ROLE_B2,ROLE_B3" />
    <intercept-url pattern="/About.do"
        access="ROLE_USER,ROLE_ADMIN,ROLE_B1,ROLE_B2,ROLE_B3" />

    <session-management session-fixation-protection="newSession">
        <concurrency-control max-sessions="1"
            error-if-maximum-exceeded="false" />
    </session-management>

    <form-login login-page="/login.jsp"
        authentication-failure-url="/login.jsp?login_error=true"
        username-parameter="username" password-parameter="password"
        default-target-url="/index.jsp" always-use-default-target="true" />

</http>

<http>
    <intercept-url pattern="/usuarios/**"
        access="ROLE_USER,ROLE_ADMIN,ROLE_B1,ROLE_B2,ROLE_B3" />
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <!--<intercept-url pattern="/**" -->
    <!-- access="ROLE_USER,ROLE_ADMIN,ROLE_B1,ROLE_B2,ROLE_B3" /> -->
</http>

<http pattern="/imagens/**" security="none" />
<http pattern="/js/**" security="none" />
<http pattern="/css/**" security="none" />
<http pattern="/fonts/**" security="none" />
<http>
    <intercept-url pattern="/**"
        access="ROLE_USER,ROLE_ADMIN,ROLE_B1,ROLE_B2,ROLE_B3" />
</http>

When I try to deploy it, it throws:

                     org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration      problem:No AuthenticationEntryPoint could be established. Please make sure you have a login mechanism configured through the namespace (such as form-login) or specify a custom AuthenticationEntryPoint with the 'entry-point-ref' attribute |Offending resource: class path resource [spring-security-config.xml]

It's weird because I do have a form-login! The .xml is a mess and I'm trying to make it better. I'm using Spring* 3.1.0 and Spring Security 3.2.3

Thanks!

Answer 1

You have three <http> blocks which are creating three separate security filter chains (i.e. where you aren't using security='none' to bypass security for particular URLs).

Neither of these has a "pattern" attribute which means they will both be configured to handle all requests, which doesn't make sense. The second and third of these blocks have no authentication method configured. Either of these would cause the error you are getting. The form-login only applies with the http element which contains it.

Just use one <http> element to contain all the intercept-url configurations you want to apply, unless you specifically want to have different security configurations for different URL patterns.

Also take a look at this question and answer.