Disabling basic authentication with spring security ldap

Question

I'm trying to set up a basic spring-security-ldap authentication with a login-form, but when i try to log in I still get a http-basic popup, which doesn't allow login.

My security.xml:

<s:http>
  <s:intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
  <s:intercept-url pattern="/**/*.html*" access="ROLE_ADMIN,ROLE_USER,ROLE_READONLY" />
  <s:form-login login-page="/login.jsp"
            authentication-failure-url="/login.jsp?error=true"
            login-processing-url="/j_security_check"
            default-target-url="/mainMenu.html"
            always-use-default-target="true" />
  <s:logout />
</s:http>

<s:ldap-server url="${ldap.url}"
             manager-dn="${ldap.adm_username}"
             manager-password="${ldap.adm_password}"/>

<s:authentication-manager>
  <s:ldap-authentication-provider user-search-filter="(cn={0})"
                                  user-search-base="${ldap.user_search_base}"
                                  group-search-base="ou=myapp,ou=mysystem,o=ACME"
                                  role-prefix="none"/>
</s:authentication-manager>

From web.xml:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

    <!-- First filter-mapping in file -->
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

This is part of a refactoring job, and when comparing to a deployed version of how it was before refactoring, the url (server):(port)/(webapproot)/j_security_check is not available, but it is available after the refactoring, and prompts a basic login box, which is also what pops up when trying to log in through the login-page.

When trying to login through the login-box, i get this stacktrace in the server log:

[#|2013-02-26T12:41:30.411+0100|WARNING|glassfish3.1|javax.enterprise.system.container.web.com.sun.web.security|_ThreadID=333;_ThreadName=Thread-1;|Exception
    com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Failed file login for .
      at com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:394)
      at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:240)
      at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:153)
      at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:483)
      at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:425)
      at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:176)
      at org.apache.catalina.authenticator.AuthenticatorBase.processSecurityCheck(AuthenticatorBase.java:909)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:487)
      at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:623)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
      at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:98)
      at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:91)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:162)
      at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:326)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:227)
      at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:170)
      at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:822)
      at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:719)
      at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1013)
      at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:225)
      at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
      at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
      at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
      at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
      at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
      at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
      at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
      at java.lang.Thread.run(Thread.java:722)
    Caused by: javax.security.auth.login.LoginException: Failed file login for .
      at com.sun.enterprise.security.auth.login.FileLoginModule.authenticate(FileLoginModule.java:84)
      at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:117)
      at com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:148)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:601)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
      at com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:382)
      ... 29 more
    |#]

How do I disable the basic-login, and what am I missing in order to make the authentication against the ldap-server?

Update:

I changed the glassfish security realm to ldap-realm, and set it up as it was on the old glassfish server. Also, I disabled the "security manager" in glassfish. Now, I still get the extra pop-up login box, but the stacktrace looks better:

    [#|2013-02-26T13:47:49.640+0100|WARNING|glassfish3.1|javax.enterprise.system.container.web.com.sun.web.security|_ThreadID=90;_ThreadName=Thread-1;|Exception
    com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Access denied on empty password for user .
        at com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:394)
        at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:240)
        at com.sun.enterprise.security.auth.login.LoginContextDriver.login(LoginContextDriver.java:153)
        at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:483)
        at com.sun.web.security.RealmAdapter.authenticate(RealmAdapter.java:425)
        at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:176)
        at org.apache.catalina.authenticator.AuthenticatorBase.processSecurityCheck(AuthenticatorBase.java:909)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:487)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:623)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
        at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:98)
        at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:91)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:162)
        at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:326)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:227)
        at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:170)
        at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:822)
        at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:719)
        at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1013)
        at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:225)
        at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
        at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
        at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
        at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
        at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
        at java.lang.Thread.run(Thread.java:722)
    Caused by: javax.security.auth.login.LoginException: Access denied on empty password for user .
        at com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticate(LDAPLoginModule.java:102)
        at com.sun.enterprise.security.auth.login.PasswordLoginModule.authenticateUser(PasswordLoginModule.java:117)
        at com.sun.appserv.security.AppservPasswordLoginModule.login(AppservPasswordLoginModule.java:148)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:601)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
        at com.sun.enterprise.security.auth.login.LoginContextDriver.doPasswordLogin(LoginContextDriver.java:382)
        ... 29 more
    |#]

But how do I disable glassfish's security mechanism all together, and only rely on the spring one?

Update #2: Found the culprit. I had this in default-web.xml in my glassfish installation:

<login-config>
  <auth-method>BASIC</auth-method>
</login-config>

Removed it, and no more login-box :) Off to the next problem then :p

Answer 1

Your basic authentication is not handled by Spring Security. Look into the stack trace. There are no Spring Security filters. It looks like your basic authentication is handled by Glassfish itself. Try to disable basic authentication trough Glassfish. Do you have login-config and security-constraint tags in the web.xml? If it's true then just remove them.