Home/ Questions/Q 8191077
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T03:50:13+00:00

I have recently started learning spring security and trying to incorporate it into my

  • 0

I have recently started learning spring security and trying to incorporate it into my existing web application. The app is simple in configuration so I’m confused where I’ve managed to screw it up.

My web.xml

<!-- FilterChain proxy for security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/appname-servlet.xml</param-value>
</context-param>


<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener> 

<servlet>
    <servlet-name>nistreq</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/appname-servlet.xml</param-value>
    </init-param>
</servlet>

<servlet-mapping>
    <servlet-name>appname</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<welcome-file-list>
    <welcome-file>mainpage.jsp</welcome-file>
</welcome-file-list>

and the security-config.xml

<security:http access-denied-page="/denied.jsp" use-expressions="true">
    <security:form-login login-page="/login.jsp"
        authentication-failure-url="/login.jsp?login_error=true" />     
    <security:intercept-url pattern="/*" access="isAuthenticated()"/>
    <security:logout/>
</security:http>

There looks to be some bad mojo between my URIs I’ve mapped for the springSecurityFilterChain (“/“), the servlet mapping’s URL pattern (“/”), and the security:intercept-url pattern (“/“). This causes a redirect loop. I’ve gone through countless variations of moving terms around, pushing content into sub-packages to avoid protecting the application root, etc. I always end up with a grab bag of a 404, a redirect loop, etc.

I’m doing something really boneheaded here and would appreciate another set of eyes. Thanks for any insights…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I believe you just need to add an exception for you login page. In addition to what you have in your security-config.xml add the following:

    <security:http pattern="/login.jsp" security="none" />

    Whatever URL you try to go to, it’s not authenticated, so it tries to go to the login page. However, that is also not authenticated, so and so it just spins and spins. Your login page needs to be accessible without being authenticated.

    • 0