Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>In your configuration You require the user to be <strong>always</strong> authenticated when entering <strong>any</strong> URL on Your site:</p> <pre><code>&lt;security:intercept-url pattern="/**" access="ROLE_USER" /&gt; </code></pre> <p>I think You should allow the user to be <strong>unauthenticated</strong> when <strong>entering the login page</strong>:</p> <pre><code>&lt;security:intercept-url pattern="/your-login-page-url" access="ROLE_ANONYMOUS" /&gt; &lt;security:intercept-url pattern="/your-login-process-url" access="ROLE_ANONYMOUS" /&gt; &lt;security:intercept-url pattern="/your-login-failure-url" access="ROLE_ANONYMOUS" /&gt; &lt;security:intercept-url pattern="/**" access="ROLE_USER" /&gt; </code></pre> <p>If You use URL's like: <code>/login/start</code>, <code>/login/error</code> and <code>/login/failure</code> You can have:</p> <pre><code>&lt;security:intercept-url pattern="/login/**" access="ROLE_ANONYMOUS" /&gt; &lt;security:intercept-url pattern="/**" access="ROLE_USER" /&gt; </code></pre> <p><strong>Update:</strong></p> <p>Having this configuration should make the framework to redirect all unauthenticated (anonymous) users to login page, and all authenticated to <a href="http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/access/AccessDeniedHandler.html">AccessDeniedHandler</a>. The <a href="http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/access/AccessDeniedException.html">AccessDeniedException</a> is one of the core parts of the framework and ignoring it is not a good idea. It's hard to help more if You only provide parts of Your Spring Security configuration.</p> <p>Be sure to read the JavaDoc for <a href="http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/access/ExceptionTranslationFilter.html">ExceptionTranslationFilter</a> for detailed explanation of what exceptions are thrown by the framework, why and how are the handled by default.</p> <p>If possible, try removing as many custom parts You added, like <a href="http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/AuthenticationSuccessHandler.html">AuthenticationSuccessHandler</a>, <a href="http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilter.html">RememberMeAuthenticationFilter</a> and <a href="http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/access/AccessDeniedHandler.html">AccessDeniedHandler</a> and see if the problem pesist? Try to get the minimal congiuration and add new features step by step to see where the error comes from.</p> <p>One important thing that You don't mention in Your question is what is the result of this error message? Do You get <code>HTTP 500</code>? Or <code>HTTP 403</code>? Or do You get redirected to login page?</p> <p>If, as You mentioned in the question, the user is unauthenticated and he/she gets redirected to login page, than that's how it's intended to work. It looks like You get the error message logged by <a href="https://fisheye.springsource.org/browse/spring-security/web/src/main/java/org/springframework/security/web/access/ExceptionTranslationFilter.java?r=56e86dd36f575595dfb40def92776e08f3ddec8f">ExceptionTranslationFilter:172</a> only because You have <code>DEBUG</code> level set to Spring Security classes. If so, than that's also how it's intended to work, and if You don't want the error logged, than simply rise the logging level for Spring Secyruty classes.</p> <p><strong>Update 2:</strong></p> <p>The patterns with <code>filters="none"</code> must match the <code>login-page</code>, <code>login-processing-url</code> and <code>authentication-failure-ur</code> attributes set in <code>&lt;security:form-login /&gt;</code> to skip all SpringSecurity checks on pages that display the login page and process the logging in.</p> <pre><code>&lt;security:http auto-config='true'&gt; &lt;security:intercept-url pattern="/static/**" filters="none"/&gt; &lt;security:intercept-url pattern="/index" filters="none"/&gt; &lt;security:intercept-url pattern="/j_spring_security_check" filters="none"/&gt; &lt;security:intercept-url pattern="/**" access="ROLE_USER" /&gt; &lt;security:form-login login-page="/index" default-target-url="/home" always-use-default-target="true" authentication-success-handler-ref="AuthenticationSuccessHandler" login-processing-url="/j_spring_security_check" authentication-failure-url="/index?error=true"/&gt; &lt;security:remember-me key="myLongSecretCookieKey" token-validity-seconds="1296000" data-source-ref="jdbcDataSource" user-service-ref="AppUserDetailsService" /&gt; &lt;security:access-denied-handler ref="myAccessDeniedHandler" /&gt; &lt;/security:http&gt; </code></pre>
    singulars
    1. This table or related slice is empty.
    1. POSpring 3 Security: AccessDeniedHandler is not being invoked
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USRoadrunner
    1. USRoadrunner
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTBountyClose
    1. COThere are URL patterns which have none as ther access privileges. And yes, login, logout etc are all part of that. The exception still gets thrown though. Isn't there a way to handle that exception?
      singulars
      1. PO
      1. USRitesh M Nayak
    2. COSorry about the question not including the whole of Spring config. I don't get a 500 or a 403. I just get redirected to the Login page. And I have nothing added, most of parts like AuthSucccessHandler, Rememberme and AccessDeniedHandler are default settings. And, as I mentioned before- the login page, images, css, javascript and other things are not protected by role_user. They are mapped to 'none'. I don't know if I should map them to Role_anonymous, but I don't really see a difference there.
      singulars
      1. PO
      1. USRitesh M Nayak
    3. COI have updated my spring config and added the login page and the static handlers. As I mentioned, removing the AccessDeniedHandler bean declaration is not affecting anything. Spring docs also say that AccessDeniedHandler is invoked only when a higher permission level is required than the one who is requesting the resource. I am begining to think that none is treated differently compared to ROLE_ANONYMOUS. Maybe I do need to change the none mappings to ROLE_ANONYMOUS and try.
      singulars
      1. PO
      1. USRitesh M Nayak
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload