Hi all,
I've just started to learn spring security to migrate from acegi and
faced some url rewriting problem.
My sample tutorial won't let me log in when I disable cookie.
I changed applicationContext-security.xml like this:
<http auto-config="true">
<intercept-url pattern="/secure/extreme/**"
access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/secure/**"
access="IS_AUTHENTICATED_REMEMBERED" />
<form-login login-page="/login.jsp"/>
</http>
session-fixation-protection defaults to 'migrateSession'.
I also changed some links in index.jsp in order to get jsessionid
appended.
<p><a href="<%= response.encodeURL("secure/index.jsp") %>">Secure
page</a></p>
<p><a href="<%= response.encodeURL("secure/extreme/index.jsp")
%>">Extremely secure page</a></p>
What happend is that every time I succeeded in authentication, the app
redirected to the login page with a new
session id.
If you change session-fixation-protection attribute value to 'none',
you can log in as normally.
Below are the HTTP response headers. Look at 'Set-Cookie' and
'Location'. The application tries to set a new id to
cookie, whereas the redirection url still holds an old one.
Is there a missing configuration point or should I raise a JIRA issue
as a bug?
Satoshi
----------------------------------------------------------
http://localhost:8080/spring-security-samples-tutorial-2.0.1/j_spring_security_check;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9
POST /spring-security-samples-tutorial-2.0.1/
j_spring_security_check;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9
HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv:
1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en,en-us;q=0.7,ja;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://localhost:8080/spring-security-samples-tutorial-2.0.1/login.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
j_username=rod&j_password=koala&submit=%8E%C0%8Ds
HTTP/1.x 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2FDF7744C4F9D4FA24EE8CDA021AD763; Path=/spring-
security-samples-tutorial-2.0.1
Location:
http://localhost:8080/spring-security-samples-tutorial-2.0.1/secure/index.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9
Content-Length: 0
Date: Mon, 12 May 2008 13:51:09 GMT
----------------------------------------------------------
http://localhost:8080/spring-security-samples-tutorial-2.0.1/secure/index.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9
GET /spring-security-samples-tutorial-2.0.1/secure/
index.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv:
1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en,en-us;q=0.7,ja;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://localhost:8080/spring-security-samples-tutorial-2.0.1/login.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9
HTTP/1.x 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7605C45F723892257A7600FBA10F5800; Path=/spring-
security-samples-tutorial-2.0.1
Location:
http://localhost:8080/spring-security-samples-tutorial-2.0.1/login.jsp;jsessionid=7605C45F723892257A7600FBA10F5800
Content-Length: 0
Date: Mon, 12 May 2008 13:51:09 GMT
----------------------------------------------------------
http://localhost:8080/spring-security-samples-tutorial-2.0.1/login.jsp;jsessionid=7605C45F723892257A7600FBA10F5800
GET /spring-security-samples-tutorial-2.0.1/
login.jsp;jsessionid=7605C45F723892257A7600FBA10F5800 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv:
1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en,en-us;q=0.7,ja;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://localhost:8080/spring-security-samples-tutorial-2.0.1/login.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9
HTTP/1.x 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Length: 1108
Date: Mon, 12 May 2008 13:51:09 GMT
----------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
