Home/ Questions/Q 9025961
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T06:24:17+00:00

I have the following code in spring-security.xml <?xml version=1.0 encoding=UTF-8?> <beans xmlns=http://www.springframework.org/schema/beans xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns:security=http://www.springframework.org/schema/security

  • 0

I have the following code in spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
            http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
            http://www.springframework.org/schema/security 
            http://www.springframework.org/schema/security/spring-security-3.1.xsd">


    <security:http security="none" pattern="/openid.jsp" />
    <security:http security="none" pattern="/logout.jsp" />
    <security:http security="none" pattern="/success.jsp" />

    <security:http auto-config="true"
        authentication-manager-ref="authManager">
        <security:intercept-url pattern="/**" access="ROLE_USER"/>
        <security:openid-login login-page="/openid.jsp" 
            authentication-failure-url="/logout.jsp"
            default-target-url="/success.jsp" >
        </security:openid-login>
    </security:http>


    <security:authentication-manager id="authManager">
        <security:authentication-provider>
            <security:user-service>
                <security:user name="spring" password="spring"
                    authorities="ROLE_USER" />
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager> 

</beans>

Tomcat access logs do show that Google has authenticated the openid but still I hit the logout.jsp after allowing access from Google open id page.

127.0.0.1 - - [13/Dec/2012:22:55:44 +0530] "GET /SpringWebSecurityOpenID/getEmp.do/10 HTTP/1.1" 302 35
127.0.0.1 - - [13/Dec/2012:22:55:44 +0530] "GET /SpringWebSecurityOpenID/openid.jsp HTTP/1.1" 200 258
127.0.0.1 - - [13/Dec/2012:22:55:49 +0530] "POST /SpringWebSecurityOpenID/j_spring_openid_security_check HTTP/1.1" 302 35
127.0.0.1 - - [13/Dec/2012:22:55:50 +0530] "GET /SpringWebSecurityOpenID/j_spring_openid_security_check?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2012-12-13T17cwcwc4rf32dwfdwGJ5oVQ_g&openid.return_to=http%3A%2F%2Flocalhost%3A8080%2FSpringWebSecurityOpenID%2Fj_spring_openid_security_check&openid.assoc_handle=AMlYA9UzE_QF5BKDYtD-k3_TbEdofnp7-43i9om-guRWh1TG5LhzEN7lzPyJ0IXzTjtNDbZz&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle&openid.sig=4MN6wuiKCWkuNwfwfwfd32dddqwg%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%cwcwc34r2dwefreWzH1fBOWj5v4U&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid432432EdewedrUfrp0nP3AWzH1fBOWj5v4U HTTP/1.1" 302 35
127.0.0.1 - - [13/Dec/2012:22:55:50 +0530] "GET /SpringWebSecurityOpenID/logout.jsp HTTP/1.1" 200 102

pls. help in troubleshooting this issue. If I remove openid login page attribute and use default open id form generated by Spring then I can easily get authenticated and hit the requested URL.

Have update spring-security.xml code above. The exception seen in the logs is:

2012-12-16 11:26:32,430&#123;HH&#58;mm&#58;ss&#125; DEBUG &#91;http-bio-8080-exec-4&#93; &#40;ConsumerManager.java&#58;1788&#41;
- Local signature verification succeeded.
2012-12-16 11:26:32,430&#123;HH&#58;mm&#58;ss&#125;  INFO &#91;http-bio-8080-exec-4&#93; &#40;ConsumerManager.java&#58;1848&#41;
- Verification succeeded for: https://www.google.com/accounts/o8/id?id=AItOawl2FdNxxWJLrUfrp0nP3AWzH1fBOWj5v4U
2012-12-16 11:26:32,433&#123;HH&#58;mm&#58;ss&#125; DEBUG &#91;http-bio-8080-exec-4&#93; &#40;ProviderManager.java&#58;152&#41; -
 Authentication attempt using org.springframework.security.openid.OpenIDAuthenticationProvider
2012-12-16 11:26:32,434&#123;HH&#58;mm&#58;ss&#125; DEBUG &#91;http-bio-8080-exec-4&#93; &#40;AbstractAuthenticationProcessingFil
ter.java&#58;340&#41; - Authentication request failed: org.springframework.security.core.userdetails.UsernameNotFoundException: h
ttps://www.google.com/accounts/o8/id?id=AItOawl2FdNxxWJLrUfrp0nP3AWzH1fBOWj5v4U
2012-12-16 11:26:32,434&#123;HH&#58;mm&#58;ss&#125; DEBUG &#91;http-bio-8080-exec-4&#93; &#40;AbstractAuthenticationProcessingFil
ter.java&#58;341&#41; - Updated SecurityContextHolder to contain null Authentication
2012-12-16 11:26:32,435&#123;HH&#58;mm&#58;ss&#125; DEBUG &#91;http-bio-8080-exec-4&#93; &#40;AbstractAuthenticationProcessingFil
ter.java&#58;342&#41; - Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuth
enticationFailureHandler@e9927a

Do I need to add the user I want to authenticate in spring-security.xml. I was trying to allow anybody with valid openid to login. I don’t have any list of users to authenticate.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    For your interceptor url try this instead of a role.

    <security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
    • 0