<security:intercept-url pattern="/**" access="denyAll" />
you write at last change sequence of it. put first of all other definition.
Pergunta
I had everything working fine the other day, but now when I go to login I get a 403 error saying the requested page is forbidden. The user is still successfully logged in, i.e. I can go back and gain access to the pages that are secure. There are not errors in the console.
login.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Login Page</title>
<link href="${pageContext.request.contextPath}/resources/css/main.css"
rel="stylesheet" type="text/css">
</head>
<body onload='document.f.j_username.focus();'>
<h3>Login with Username and Password</h3>
<c:if test="${param.error != null}">
<p class="error">Login failed. Check user name and password.</p>
</c:if>
<form name='f'
action='${pageContext.request.contextPath}/j_spring_security_check'
method='POST'>
<table class="formtable">
<tr>
<td class="title">User:</td>
<td><input class="control" type='text' name='j_username' value=''></td>
</tr>
<tr>
<td class="title">Password:</td>
<td><input class="control" type='password' name='j_password' /></td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="Login" /></td>
</tr>
</table>
</form>
<p><a href="${pageContext.request.contextPath}/newAccount">Create a new account. </a></p>
</body>
</html>
security-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service
data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/adminPortal"
access="hasRole('admin')" />
<security:intercept-url pattern="/addDrug"
access="hasRole('admin')" />
<security:intercept-url pattern="/drugAdded"
access="hasRole('admin')" />
<security:intercept-url pattern="/addingDrug"
access="hasRole('admin')" />
<security:intercept-url pattern="/drugList"
access="hasRole('admin')" />
<security:intercept-url pattern="/userList"
access="hasRole('admin')" />
<security:intercept-url pattern="/doctorPortal"
access="hasRole('doctor')" />
<security:intercept-url pattern="/pharmacistPortal"
access="hasRole('pharmacist')" />
<security:intercept-url pattern="/customerPortal"
access="hasRole('customer')" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/resources/**"
access="permitAll" />
<security:intercept-url pattern="/login"
access="permitAll" />
<security:intercept-url pattern="/newAccount"
access="permitAll" />
<security:intercept-url pattern="/accountCreated"
access="permitAll" />
<security:intercept-url pattern="/createAccount"
access="permitAll" />
<security:intercept-url pattern="/logout"
access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
<security:logout logout-success-url="/logout" />
</security:http>
Login Controller package com.pharmacy.management.system.controller;
import javax.validation.Valid;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.DataAccessException;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import com.pharmacy.management.system.dao.User;
import com.pharmacy.management.system.service.UserService;
@Controller
public class LoginController {
private UserService userService;
@Autowired
public void setUserService(UserService userService) {
this.userService = userService;
}
@RequestMapping("/login")
public String showLogin() {
return "login";
}
@RequestMapping("/logout")
public String showLogout() {
return "logout";
}
@RequestMapping("/newAccount")
public String newAccount(Model model) {
model.addAttribute("user", new User());
return "newAccount";
}
@RequestMapping("/accountCreated")
public String accountCreated(Model model) {
model.addAttribute("user", new User());
return "accountCreated";
}
@RequestMapping(value = "/createAccount", method = RequestMethod.POST)
public String createAccount(@Valid User user, BindingResult result) {
if (result.hasErrors()) {
return "newAccount";
}
user.setAuthority("doctor");
user.setEnabled(true);
if (userService.exists(user.getUsername())) {
result.rejectValue("username", "DuplicateKey.user.username");
return "newAccount";
}
try {
userService.create(user);
} catch (DataAccessException e) {
result.rejectValue("username", "DuplicateKey.user.username");
return "newAccount";
}
return "accountCreated";
}
}
Solução
<security:intercept-url pattern="/**" access="denyAll" />
you write at last change sequence of it. put first of all other definition.
Outras dicas
Try do it as my configuration. The order url intercept order is very important:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true">
<form-login login-processing-url="/resources/j_spring_security_check"
login-page="/login" authentication-failure-url="/login?login_error=t" />
<logout logout-url="/resources/j_spring_security_logout" />
<!-- Configure these elements to secure URIs in your application -->
<intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/member/**" access="isAuthenticated()" />
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/login/**" access="permitAll" />
<intercept-url pattern="/home/**" access="permitAll" />
<intercept-url pattern="/password/reset" access="hasRole('ROLE_ANONYMOUS')" />
<intercept-url pattern="/account/create" access="hasRole('ROLE_ANONYMOUS')" />
<intercept-url pattern="/account/activate" access="hasRole('ROLE_ANONYMOUS')" />
<intercept-url pattern="/password/change" access="isAuthenticated()" />
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/client/**" access="hasRole('ROLE_CLIENT')" />
<intercept-url pattern="/**" access="permitAll" />
</http>
<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
<beans:bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.MessageDigestPasswordEncoder">
<beans:constructor-arg value="SHA-256" />
</beans:bean>
</beans:beans>