Home/ Questions/Q 8933673
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T09:36:00+00:00

I am using Spring Security version 3.1.2. Here is the configuration: <http pattern=/embedded/** auto-config=true

  • 0

I am using Spring Security version 3.1.2.

Here is the configuration:

<http pattern="/embedded/**" auto-config="true" use-expressions="true" access-denied-page="/embedded/login.htm">
    <intercept-url pattern="/embedded/login-embedded.html" access="hasRole('ROLE_AUTHENTICATED')"/>
    <intercept-url pattern="/embedded/**" access="permitAll"/>
    <form-login login-page="/embedded/login.htm"
                authentication-failure-url="/embedded/login.htm?error=true"
                default-target-url="/embedded/login-embedded.html" />
    <logout logout-success-url="/embedded/index.html"/>

</http>

<http auto-config="true" use-expressions="true" access-denied-page="/login.htm">
    <intercept-url pattern="/login-success.html" access="hasRole('ROLE_AUTHENTICATED')"/>
    <intercept-url pattern="/**" access="permitAll"/>
    <form-login login-page="/login.htm"
                authentication-failure-url="/login.htm?error=true"
                default-target-url="/login-success.html"/>
    <logout logout-success-url="/index.html"/>
</http>

I POST data to a Spring MVC controller which calls a service to validate a captcha. If that passes it forwards it to the j_spring_security_check RequestDispatcher.

Here is the relevant part of the controller:

@RequestMapping(value ="/embedded/login.htm", method = RequestMethod.POST)
public String authenticateCaptcha(HttpServletRequest request,
                                  HttpServletResponse response,
                                  @RequestParam String verificationText) throws IOException, ServletException {
    HttpSession session = request.getSession();
    String sessionId = session.getId();
    if (captchaService.validate(sessionId, verificationText)) {
        request.getRequestDispatcher("/j_spring_security_check").forward(request, response);
        return null;
    }
    return buildErrorRedirect(request);
}

My problem is that after captcha is validated and the request is forwarded to Spring Security and authentication fails there the error page it forwards to is /login.htm?error=true instead of /embedded/login.htm?error=true.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    URL /j_spring_security_check doesn’t match /embedded/** so authentication-failure-url="/login.htm?error=true" is used – the one from second configuration.

    Similar question has been asked recently:

    Spring security with two realms, first default-target-url is never invoked

    And one of the creators of Spring Security answered it. I recommend reading it.

    Another worthy piece of Stack Overflow:
    Why does a forwarded request pass through filter chain again?

    • 0