Hi all, I've just started to learn spring security to migrate from acegi and faced some url rewriting problem. My sample tutorial won't let me log in when I disable cookie.
I changed applicationContext-security.xml like this: <http auto-config="true"> <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/> <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" /> <form-login login-page="/login.jsp"/> </http> session-fixation-protection defaults to 'migrateSession'. I also changed some links in index.jsp in order to get jsessionid appended. <p><a href="<%= response.encodeURL("secure/index.jsp") %>">Secure page</a></p> <p><a href="<%= response.encodeURL("secure/extreme/index.jsp") %>">Extremely secure page</a></p> What happend is that every time I succeeded in authentication, the app redirected to the login page with a new session id. If you change session-fixation-protection attribute value to 'none', you can log in as normally. Below are the HTTP response headers. Look at 'Set-Cookie' and 'Location'. The application tries to set a new id to cookie, whereas the redirection url still holds an old one. Is there a missing configuration point or should I raise a JIRA issue as a bug? Satoshi ---------------------------------------------------------- http://localhost:8080/spring-security-samples-tutorial-2.0.1/j_spring_security_check;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9 POST /spring-security-samples-tutorial-2.0.1/ j_spring_security_check;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv: 1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/ html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en,en-us;q=0.7,ja;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost:8080/spring-security-samples-tutorial-2.0.1/login.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9 Content-Type: application/x-www-form-urlencoded Content-Length: 49 j_username=rod&j_password=koala&submit=%8E%C0%8Ds HTTP/1.x 302 Moved Temporarily Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=2FDF7744C4F9D4FA24EE8CDA021AD763; Path=/spring- security-samples-tutorial-2.0.1 Location: http://localhost:8080/spring-security-samples-tutorial-2.0.1/secure/index.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9 Content-Length: 0 Date: Mon, 12 May 2008 13:51:09 GMT ---------------------------------------------------------- http://localhost:8080/spring-security-samples-tutorial-2.0.1/secure/index.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9 GET /spring-security-samples-tutorial-2.0.1/secure/ index.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv: 1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/ html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en,en-us;q=0.7,ja;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost:8080/spring-security-samples-tutorial-2.0.1/login.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9 HTTP/1.x 302 Moved Temporarily Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=7605C45F723892257A7600FBA10F5800; Path=/spring- security-samples-tutorial-2.0.1 Location: http://localhost:8080/spring-security-samples-tutorial-2.0.1/login.jsp;jsessionid=7605C45F723892257A7600FBA10F5800 Content-Length: 0 Date: Mon, 12 May 2008 13:51:09 GMT ---------------------------------------------------------- http://localhost:8080/spring-security-samples-tutorial-2.0.1/login.jsp;jsessionid=7605C45F723892257A7600FBA10F5800 GET /spring-security-samples-tutorial-2.0.1/ login.jsp;jsessionid=7605C45F723892257A7600FBA10F5800 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv: 1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/ html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en,en-us;q=0.7,ja;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: Shift_JIS,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost:8080/spring-security-samples-tutorial-2.0.1/login.jsp;jsessionid=F5E27F2C3BBDE01BB2A8B1B5ED64E9B9 HTTP/1.x 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 1108 Date: Mon, 12 May 2008 13:51:09 GMT ---------------------------------------------------------- ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer