Spring Security redirect to Login Page after successful authentication by giving access denied exception

StackOverflow https://stackoverflow.com/questions/20329489

Question

Facing strange problem : Application work fine on HTTP but redirects to login page again once we add SLL certificate : Below is code snippet from spring-security.xml

    <security:http auto-config="false" use-expressions="true" access-denied-page="/pages/denied.rs" entry-point-ref="authenticationEntryPoint" disable-url-rewriting="true">
            <security:intercept-url pattern="/pages/doLogin.rs" requires-channel="any" access="hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B'" />
            <security:intercept-url pattern="/**" requires-channel="any" access="hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B')"/>
            <security:logout invalidate-session="true" logout-success-url="/pages/login.rs"/>
            <security:custom-filter after="FILTER_SECURITY_INTERCEPTOR" ref="applicationRequestFilter" />
            <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
            <security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/> 
            <security:session-management session-authentication-strategy-ref="sas" invalid-session-url="/pages/sessiontimeout.rs"/>
</security:http>
<bean id="authenticationFilter"
        class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
        p:authenticationManager-ref="customAuthenticationManager"
        p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
        p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />


<bean id="customAuthenticationSuccessHandler"
        class="com.mycomapny.CustomAuthenticationSuccessHandler"
        p:defaultTargetUrl="/pages/doLogin.rs" />


<bean id="authenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
        p:loginFormUrl="/pages/login.rs" />

I have added SSL certificate in by JBOSS in standalone.xml as below:

<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">
                 <connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="http" redirect-port="8443"/>
                <connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enable-lookups="false" secure="true">
                <ssl name="selfsigned" password="password" certificate-key-file="D:\keystore.jks" protocol="TLSv1" verify-client="false"/>
                </connector>
                <virtual-server name="default-host" enable-welcome-root="true">
                    <alias name="127.0.0.1"/>
                    <alias name="example.com"/>
                </virtual-server>
                  <configuration>
                        <jsp-configuration development="true"/>
                  </configuration>

     </subsystem>

When I tries to access my application using HTTPS URL like https://mydomain.com:8443/mywebapp/login.rs , it displays the user name password page.

After entering valid credentials, it goes to authentication manger and before redirecting to success handler URL /doLogin.rs, it give below exception and redirects again to login page :

15:31:57,674 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] () Checking match of request : '/pages/dologin.
rs'; against '/pages/dologin.rs'
15:31:57,675 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] () Secure object: FilterInvocat
ion: URL: /pages/doLogin.rs; Attributes: [hasAnyRole('ROLE_SYSTEM_ADMINISTRATOR', 'ROLE_KEY_ACCOUNT_MANAGER', 'ROLE_A', 'ROLE_B')]
15:31:57,675 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] () Previously Authenticated: or
g.springframework.security.authentication.AnonymousAuthenticationToken@90579aae: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: tr
ue; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2eb76: RemoteIpAddress: my machine ip address; SessionId: MdlIOjDwbSdN+e9r0-
6CEkxJ; Granted Authorities: ROLE_ANONYMOUS
15:31:57,690 DEBUG [org.springframework.security.access.vote.AffirmativeBased] () Voter: org.springframework.security.web.access
.expression.WebExpressionVoter@1d80d50, returned: -1
15:31:57,691 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] () Returning cached instance of single
ton bean 'org.springframework.context.annotation.internalScheduledAnnotationProcessor'
15:31:57,692 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] () Returning cached instance of single
ton bean 'org.springframework.scheduling.config.ContextLifecycleScheduledTaskRegistrar#0'
15:31:57,693 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] () Returning cached instance of single
ton bean 'sessionRegistry'
15:31:57,693 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] () Access is denied (user is anonymous);
 redirecting to authentication entry point: org.springframework.security.access.AccessDeniedException: Access is denied
        at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) [spring-security-core-3.1.4.RELEASE.jar:3.1.4.RE
LEASE]
        at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:206) [spring-se
curity-core-3.1.4.RELEASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) [spring-security-web
-3.1.4.RELEASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) [spring-security-we
b-3.1.4.RELEASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) [spring-security-web-3.1.4
.RELEASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) [spring-security-web-3.1.4.RELE
ASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) [spring-secu
rity-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:5
4) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) [spring-security-web-3.1.4.
RELEASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java
:183) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) [spring-security-web-3.1.4.RELEASE.jar:
3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125) [spring-security-web-3.1.4.RELE
ASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-securi
ty-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144) [spring-security-web-3.1
.4.RELEASE.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.1.4.RELEASE
.jar:3.1.4.RELEASE]
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.
RELEASE]
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.1.4.RELEASE.jar:3.1.4.RELEASE]

        at org.springframework.security.config.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:69) [spring-security-config-3.1.4.RELEASE.j
ar:3.1.4.RELEASE]
        at org.springframework.security.config.debug.DebugFilter.doFilter(DebugFilter.java:58) [spring-security-config-3.1.4.RELEASE.jar:3.1.4.RELEASE
]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-3.2.3.RELEASE.jar:3.2.3.REL
EASE]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [spring-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.
Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-re
dhat-1]
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) [spring-web-3.2.3.RELEASE.jar:3.2.
3.RELEASE]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.
Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-re
dhat-1]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1
]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1
]
        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.0.Final-redhat-8.jar:7.2.0.Final
-redhat-8]
        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.0.Final-redhat-8.jar:7.2.0.Final
-redhat-8]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat
-8.jar:7.2.0.Final-redhat-8]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.F
inal-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:619) [rt.jar:1.6.0_13]

We are using cookie header in response as httpOnly;Secure

I tried to add requires-channel="https" but it didn't worked either.

Was it helpful?

Solution 2

The problem is resolved : I was manually setting below header in my response to avoid security defects...due to this I was getting access denied exception.

I removed the below code and added at apache lavel and it worked fine.

    String sessionid = request.getSession(true).getId();
    resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid
                + "; Secure; HttpOnly");
    resp.setHeader("Expires", "Tue, 14 May 1985 00:00:00 GMT");
    resp.setHeader("Last-Modified", new Date().toString());
    resp.setHeader(
                "Cache-Control",
                "no-store, no-cache, no-store, must-revalidate, max-age=0, post-check=0, pre-check=0");
    resp.setHeader("Pragma", "no-cache");
    resp.addHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
    resp.addHeader("strict-transport-security", "max-age=631138519");
    resp.addHeader("x-xss-protection", "1; mode=block");

OTHER TIPS

If you don't want this login-form to appear please remove the following maven-dependency:

<dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Hope this helps someone.

This error comes,if you have added (logback-classic/logback-classic) jar file in you lib. Ex: ch.qos.logback logback-classic ${logback.version}

if you have mapped it or its dependacny jar then remove it to resolve "org.springframework.security.access.AccessDeniedException: Access is denied"

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top