java - Spring security4 /login doesn't pass through any filter -

-

the spring security version used 4.0.2. main part of spring-security.xml

<http pattern="/resources/**" security="none" />     <http pattern="/login" security="none"/>     <http auto-config="true" use-expressions="true">         <!-- <intercept-url pattern="/login" access="permitall" /> -->         <intercept-url pattern="/about" access="permitall" />         <intercept-url pattern="/**" access="hasrole('role_user')" />         <intercept-url pattern="/user/*" access="hasrole('role_user')" />         <intercept-url pattern="/admin/*" access="hasrole('role_admin')"/>         <custom-filter ref="ipfilter" before="filter_security_interceptor"/>         <remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="datasource" user-service-ref="customjdbcuserservice"/>         <form-login login-page="/login" default-target-url="/"             password-parameter="pwd" />         <logout logout-success-url="/about" />     </http>

when use 

<http pattern="/login" security="none"/>

in file,my application can't work,when submit login request,it response me login.jsp view,and debug info placed there:

22:32:42,905 debug antpathrequestmatcher:151 - checking match of request : '/login'; against '/resources/**' 22:32:42,905 debug antpathrequestmatcher:151 - checking match of request : '/login'; against '/login' 22:32:42,905 debug filterchainproxy:200 - /login has empty filter list 22:32:42,906 debug dispatcherservlet:861 - dispatcherservlet name 'springmvc' processing post request [/login] 22:32:42,907 debug requestmappinghandlermapping:294 - looking handler method path /login 22:32:42,908 debug requestmappinghandlermapping:299 - returning handler method [public void com.bay1ts.controller.basecontroller.login()] 22:32:42,908 debug defaultlistablebeanfactory:248 - returning cached instance of singleton bean 'basecontroller' 22:32:42,909 debug dispatcherservlet:1241 - rendering view [org.springframework.web.servlet.view.jstlview: name 'login'; url [/web-inf/jsps/login.jsp]] in dispatcherservlet name 'springmvc' 22:32:42,910 debug defaultlistablebeanfactory:248 - returning cached instance of singleton bean 'requestdatavalueprocessor' 22:32:42,910 debug jstlview:166 - forwarding resource [/web-inf/jsps/login.jsp] in internalresourceview 'login' 22:32:42,919 debug dispatcherservlet:996 - completed request

but when use

<intercept-url pattern="/login" access="permitall" />

like this:

<http pattern="/resources/**" security="none" />     <http auto-config="true" use-expressions="true">         <intercept-url pattern="/login" access="permitall" />         <intercept-url pattern="/about" access="permitall" />         <intercept-url pattern="/**" access="hasrole('role_user')" />         <intercept-url pattern="/user/*" access="hasrole('role_user')" />         <intercept-url pattern="/admin/*" access="hasrole('role_admin')"/>         <custom-filter ref="ipfilter" before="filter_security_interceptor"/>         <remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="datasource" user-service-ref="customjdbcuserservice"/>         <form-login login-page="/login" default-target-url="/"             password-parameter="pwd" />         <logout logout-success-url="/about" />     </http>

then can login application , debug-info

22:56:22,763 debug antpathrequestmatcher:151 - checking match of request : '/login'; against '/resources/**' 22:56:22,770 debug filterchainproxy:324 - /login @ position 1 of 15 in additional filter chain; firing filter: 'securitycontextpersistencefilter' 22:56:22,770 debug httpsessionsecuritycontextrepository:171 - httpsession returned null object spring_security_context 22:56:22,770 debug httpsessionsecuritycontextrepository:101 - no securitycontext available httpsession: org.eclipse.jetty.server.session.hashedsession:1bf4hxwrtqrdvs3dedd70rh8o@1206903733. new 1 created. 22:56:22,770 debug filterchainproxy:324 - /login @ position 2 of 15 in additional filter chain; firing filter: 'webasyncmanagerintegrationfilter' 22:56:22,770 debug filterchainproxy:324 - /login @ position 3 of 15 in additional filter chain; firing filter: 'headerwriterfilter' 22:56:22,771 debug hstsheaderwriter:128 - not injecting hsts header since did not match requestmatcher org.springframework.security.web.header.writers.hstsheaderwriter$securerequestmatcher@1945827 22:56:22,771 debug filterchainproxy:324 - /login @ position 4 of 15 in additional filter chain; firing filter: 'csrffilter' 22:56:22,772 debug filterchainproxy:324 - /login @ position 5 of 15 in additional filter chain; firing filter: 'logoutfilter' 22:56:22,772 debug antpathrequestmatcher:151 - checking match of request : '/login'; against '/logout' 22:56:22,773 debug filterchainproxy:324 - /login @ position 6 of 15 in additional filter chain; firing filter: 'usernamepasswordauthenticationfilter' 22:56:22,773 debug antpathrequestmatcher:151 - checking match of request : '/login'; against '/login' 22:56:22,773 debug usernamepasswordauthenticationfilter:211 - request process authentication 22:56:22,774 debug providermanager:162 - authentication attempt using org.springframework.security.authentication.dao.daoauthenticationprovider 22:56:22,778 debug jdbctemplate:693 - executing prepared sql query 22:56:22,780 debug jdbctemplate:627 - executing prepared sql statement [select username,password,enabled users username = ?] 22:56:22,788 debug datasourceutils:110 - fetching jdbc connection datasource 22:56:22,862  info abstractpoolbackeddatasource:203 - initializing c3p0 pool... com.mchange.v2.c3p0.combopooleddatasource [ acquireincrement -> 3, acquireretryattempts -> 30, acquireretrydelay -> 1000, autocommitonclose -> false, automatictesttable -> null, breakafteracquirefailure -> false, checkouttimeout -> 0, connectioncustomizerclassname -> null, connectiontesterclassname -> com.mchange.v2.c3p0.impl.defaultconnectiontester, contextclassloadersource -> caller, datasourcename -> 1hge1379c1b42a3w17r38ui|3c87fdf2, debugunreturnedconnectionstacktraces -> false, description -> null, driverclass -> com.mysql.jdbc.driver, extensions -> {}, factoryclasslocation -> null, forceignoreunresolvedtransactions -> false, forceusenameddriverclass -> false, identitytoken -> 1hge1379c1b42a3w17r38ui|3c87fdf2, idleconnectiontestperiod -> 0, initialpoolsize -> 3, jdbcurl -> jdbc:mysql://localhost:3306/jdbcdaoimpl?characterencoding=utf-8, maxadministrativetasktime -> 0, maxconnectionage -> 0, maxidletime -> 0, maxidletimeexcessconnections -> 0, maxpoolsize -> 15, maxstatements -> 0, maxstatementsperconnection -> 0, minpoolsize -> 3, numhelperthreads -> 3, preferredtestquery -> null, privilegespawnedthreads -> false, properties -> {user=******, password=******}, propertycycle -> 0, statementcachenumdeferredclosethreads -> 0, testconnectiononcheckin -> false, testconnectiononcheckout -> false, unreturnedconnectiontimeout -> 0, useroverrides -> {}, usestraditionalreflectiveproxies -> false ] 22:56:22,895 debug mconfig:198 - configuration file resource identifier '/mchange-commons.properties' not found. skipping. java.io.filenotfoundexception: resource not found @ path '/mchange-commons.properties'.     @ com.mchange.v2.cfg.basicpropertiesconfigsource.propertiesfromsource(basicpropertiesconfigsource.java:64)     @ com.mchange.v2.cfg.basicmultipropertiesconfig.firstinit(basicmultipropertiesconfig.java:185)     @ com.mchange.v2.cfg.basicmultipropertiesconfig.<init>(basicmultipropertiesconfig.java:110)     @ com.mchange.v2.cfg.configutils.read(configutils.java:63)     @ com.mchange.v2.cfg.mconfig$csmanager.recreatefromkey(mconfig.java:153)     @ com.mchange.v1.cachedstore.nocleanupcachedstore.find(nocleanupcachedstore.java:63)     @ sun.reflect.nativemethodaccessorimpl.invoke0(native method)     @ sun.reflect.nativemethodaccessorimpl.invoke(nativemethodaccessorimpl.java:62)     @ sun.reflect.delegatingmethodaccessorimpl.invoke(delegatingmethodaccessorimpl.java:43)     @ java.lang.reflect.method.invoke(method.java:497)     @ com.mchange.v1.lang.synchronizer$1.invoke(synchronizer.java:58)     @ com.sun.proxy.$proxy29.find(unknown source)     @ com.mchange.v2.cfg.mconfig.readvmconfig(mconfig.java:75)     @ com.mchange.v2.cfg.mconfig.readvmconfig(mconfig.java:81)     @ com.mchange.v2.resourcepool.basicresourcepool.<clinit>(basicresourcepool.java:60)     ...     @ org.springframework.jdbc.core.jdbctemplate.query(jdbctemplate.java:695)     @ org.springframework.jdbc.core.jdbctemplate.query(jdbctemplate.java:727)     @ org.springframework.jdbc.core.jdbctemplate.query(jdbctemplate.java:737)     @ org.springframework.jdbc.core.jdbctemplate.query(jdbctemplate.java:787)     @ org.springframework.security.core.userdetails.jdbc.jdbcdaoimpl.loadusersbyusername(jdbcdaoimpl.java:216)     @ org.springframework.security.core.userdetails.jdbc.jdbcdaoimpl.loaduserbyusername(jdbcdaoimpl.java:173)     @ org.springframework.security.authentication.dao.daoauthenticationprovider.retrieveuser(daoauthenticationprovider.java:114)     @ org.springframework.security.authentication.dao.abstractuserdetailsauthenticationprovider.authenticate(abstractuserdetailsauthenticationprovider.java:143)     @ org.springframework.security.authentication.providermanager.authenticate(providermanager.java:167)     @ org.springframework.security.authentication.providermanager.authenticate(providermanager.java:192)     @ org.springframework.security.web.authentication.usernamepasswordauthenticationfilter.attemptauthentication(usernamepasswordauthenticationfilter.java:93)     @ org.springframework.security.web.authentication.abstractauthenticationprocessingfilter.dofilter(abstractauthenticationprocessingfilter.java:217)     @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330)     @ org.springframework.security.web.authentication.logout.logoutfilter.dofilter(logoutfilter.java:120)     @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330)     @ org.springframework.security.web.csrf.csrffilter.dofilterinternal(csrffilter.java:120)     @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107)     @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330)     @ org.springframework.security.web.header.headerwriterfilter.dofilterinternal(headerwriterfilter.java:64)     @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107)     @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330)     @ org.springframework.security.web.context.request.async.webasyncmanagerintegrationfilter.dofilterinternal(webasyncmanagerintegrationfilter.java:53)     @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107)     @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330)     @ org.springframework.security.web.context.securitycontextpersistencefilter.dofilter(securitycontextpersistencefilter.java:91)     @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330)     @ org.springframework.security.web.filterchainproxy.dofilterinternal(filterchainproxy.java:213)     @ org.springframework.security.web.filterchainproxy.dofilter(filterchainproxy.java:176)     @ org.springframework.web.filter.delegatingfilterproxy.invokedelegate(delegatingfilterproxy.java:344)     @ org.springframework.web.filter.delegatingfilterproxy.dofilter(delegatingfilterproxy.java:261)     @ org.eclipse.jetty.servlet.servlethandler$cachedchain.dofilter(servlethandler.java:1667)     @ org.springframework.web.filter.characterencodingfilter.dofilterinternal(characterencodingfilter.java:85)     @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107)     @ org.eclipse.jetty.servlet.servlethandler$cachedchain.dofilter(servlethandler.java:1667)     @ org.eclipse.jetty.servlet.servlethandler.dohandle(servlethandler.java:581)     @ org.eclipse.jetty.server.handler.scopedhandler.handle(scopedhandler.java:143)     @ org.eclipse.jetty.security.securityhandler.handle(securityhandler.java:548)     @ org.eclipse.jetty.server.session.sessionhandler.dohandle(sessionhandler.java:226)     @ org.eclipse.jetty.server.handler.contexthandler.dohandle(contexthandler.java:1114)     @ org.eclipse.jetty.servlet.servlethandler.doscope(servlethandler.java:511)     @ org.eclipse.jetty.server.session.sessionhandler.doscope(sessionhandler.java:185)     @ org.eclipse.jetty.server.handler.contexthandler.doscope(contexthandler.java:1048)     @ org.eclipse.jetty.server.handler.scopedhandler.handle(scopedhandler.java:141)     @ org.eclipse.jetty.server.handler.contexthandlercollection.handle(contexthandlercollection.java:213)     @ org.eclipse.jetty.server.handler.handlercollection.handle(handlercollection.java:109)     @ org.eclipse.jetty.server.handler.handlerwrapper.handle(handlerwrapper.java:119)     @ org.eclipse.jetty.server.server.handle(server.java:517)     @ org.eclipse.jetty.server.httpchannel.handle(httpchannel.java:302)     @ org.eclipse.jetty.server.httpconnection.onfillable(httpconnection.java:242)     @ org.eclipse.jetty.io.abstractconnection$readcallback.succeeded(abstractconnection.java:245)     @ org.eclipse.jetty.io.fillinterest.fillable(fillinterest.java:95)     @ org.eclipse.jetty.io.selectchannelendpoint$2.run(selectchannelendpoint.java:75)     @ org.eclipse.jetty.util.thread.strategy.executeproduceconsume.produceandrun(executeproduceconsume.java:213)     @ org.eclipse.jetty.util.thread.strategy.executeproduceconsume.run(executeproduceconsume.java:147)     @ org.eclipse.jetty.util.thread.queuedthreadpool.runjob(queuedthreadpool.java:654)     @ org.eclipse.jetty.util.thread.queuedthreadpool$3.run(queuedthreadpool.java:572)     @ java.lang.thread.run(thread.java:745) 22:56:22,992 debug basicresourcepool:195 - com.mchange.v2.resourcepool.basicresourcepool@a87512f config: [start -> 3; min -> 3; max -> 15; inc -> 3; num_acq_attempts -> 30; acq_attempt_delay -> 1000; check_idle_resources_delay -> 0; max_resource_age -> 0; max_idle_time -> 0; excess_max_idle_time -> 0; destroy_unreturned_resc_time -> 0; expiration_enforcement_delay -> 0; break_on_acquisition_failure -> false; debug_store_checkout_exceptions -> false] 22:56:22,992 debug c3p0pooledconnectionpoolmanager:195 - created new pool auth, username (masked): 'ro******'. 22:56:22,992 debug basicresourcepool:195 - acquire test -- pool size: 0; target_pool_size: 3; desired target? 1 22:56:22,993 debug basicresourcepool:195 - awaitavailable(): [unknown] 22:56:23,568 debug datasourceutils:327 - returning jdbc connection datasource 22:56:23,570 debug jdbctemplate:693 - executing prepared sql query 22:56:23,570 debug jdbctemplate:627 - executing prepared sql statement [select username,authority authorities username = ?] 22:56:23,571 debug datasourceutils:110 - fetching jdbc connection datasource 22:56:23,573 debug datasourceutils:327 - returning jdbc connection datasource 22:56:23,578 debug defaultlistablebeanfactory:248 - returning cached instance of singleton bean 'sqlsessionfactory' 22:56:23,578 debug compositesessionauthenticationstrategy:86 - delegating org.springframework.security.web.csrf.csrfauthenticationstrategy@70540f7b 22:56:23,580 debug compositesessionauthenticationstrategy:86 - delegating org.springframework.security.web.authentication.session.changesessionidauthenticationstrategy@51ae01da 22:56:23,581 debug defaultlistablebeanfactory:248 - returning cached instance of singleton bean 'sqlsessionfactory' 22:56:23,582 debug usernamepasswordauthenticationfilter:317 - authentication success. updating securitycontextholder contain: org.springframework.security.authentication.usernamepasswordauthenticationtoken@fec65191: principal: org.springframework.security.core.userdetails.user@586034f: username: admin; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: role_admin,role_user; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@166c8: remoteipaddress: 0:0:0:0:0:0:0:1; sessionid: 1bf4hxwrtqrdvs3dedd70rh8o; granted authorities: role_admin, role_user 22:56:23,582 debug persistenttokenbasedremembermeservices:147 - creating new persistent login user admin 22:56:23,586 debug jdbctemplate:908 - executing prepared sql update 22:56:23,586 debug jdbctemplate:627 - executing prepared sql statement [insert persistent_logins (username, series, token, last_used) values(?,?,?,?)] 22:56:23,587 debug datasourceutils:110 - fetching jdbc connection datasource 22:56:23,593 debug jdbctemplate:918 - sql update affected 1 rows 22:56:23,594 debug datasourceutils:327 - returning jdbc connection datasource 22:56:23,594 debug defaultlistablebeanfactory:248 - returning cached instance of singleton bean 'sqlsessionfactory' 22:56:23,595 debug savedrequestawareauthenticationsuccesshandler:110 - using default url: / 22:56:23,595 debug defaultredirectstrategy:39 - redirecting '/' 22:56:23,595 debug httpsessionsecuritycontextrepository:362 - securitycontext 'org.springframework.security.core.context.securitycontextimpl@fec65191: authentication: org.springframework.security.authentication.usernamepasswordauthenticationtoken@fec65191: principal: org.springframework.security.core.userdetails.user@586034f: username: admin; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: role_admin,role_user; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@166c8: remoteipaddress: 0:0:0:0:0:0:0:1; sessionid: 1bf4hxwrtqrdvs3dedd70rh8o; granted authorities: role_admin, role_user' stored httpsession: 'org.eclipse.jetty.server.session.hashedsession:m2b22n17auwqwwbhl5t9veiw@1206903733 22:56:23,596 debug securitycontextpersistencefilter:105 - securitycontextholder cleared, request processing completed 22:56:23,598 debug antpathrequestmatcher:151 - checking match of request : '/'; against '/resources/**' 22:56:23,599 debug filterchainproxy:324 - / @ position 1 of 15 in additional filter chain; firing filter: 'securitycontextpersistencefilter' 22:56:23,599 debug httpsessionsecuritycontextrepository:192 - obtained valid securitycontext spring_security_context: 'org.springframework.security.core.context.securitycontextimpl@fec65191: authentication: org.springframework.security.authentication.usernamepasswordauthenticationtoken@fec65191: principal: org.springframework.security.core.userdetails.user@586034f: username: admin; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: role_admin,role_user; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@166c8: remoteipaddress: 0:0:0:0:0:0:0:1; sessionid: 1bf4hxwrtqrdvs3dedd70rh8o; granted authorities: role_admin, role_user' 22:56:23,599 debug filterchainproxy:324 - / @ position 2 of 15 in additional filter chain; firing filter: 'webasyncmanagerintegrationfilter' 22:56:23,600 debug filterchainproxy:324 - / @ position 3 of 15 in additional filter chain; firing filter: 'headerwriterfilter' 22:56:23,600 debug hstsheaderwriter:128 - not injecting hsts header since did not match requestmatcher org.springframework.security.web.header.writers.hstsheaderwriter$securerequestmatcher@1945827 22:56:23,600 debug filterchainproxy:324 - / @ position 4 of 15 in additional filter chain; firing filter: 'csrffilter' 22:56:23,600 debug filterchainproxy:324 - / @ position 5 of 15 in additional filter chain; firing filter: 'logoutfilter' 22:56:23,600 debug antpathrequestmatcher:131 - request 'get /' doesn't match 'post /logout 22:56:23,601 debug filterchainproxy:324 - / @ position 6 of 15 in additional filter chain; firing filter: 'usernamepasswordauthenticationfilter' 22:56:23,601 debug antpathrequestmatcher:131 - request 'get /' doesn't match 'post /login 22:56:23,601 debug filterchainproxy:324 - / @ position 7 of 15 in additional filter chain; firing filter: 'basicauthenticationfilter' 22:56:23,601 debug filterchainproxy:324 - / @ position 8 of 15 in additional filter chain; firing filter: 'requestcacheawarefilter' 22:56:23,601 debug filterchainproxy:324 - / @ position 9 of 15 in additional filter chain; firing filter: 'securitycontextholderawarerequestfilter' 22:56:23,601 debug filterchainproxy:324 - / @ position 10 of 15 in additional filter chain; firing filter: 'remembermeauthenticationfilter' 22:56:23,602 debug remembermeauthenticationfilter:153 - securitycontextholder not populated remember-me token, contained: 'org.springframework.security.authentication.usernamepasswordauthenticationtoken@fec65191: principal: org.springframework.security.core.userdetails.user@586034f: username: admin; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: role_admin,role_user; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@166c8: remoteipaddress: 0:0:0:0:0:0:0:1; sessionid: 1bf4hxwrtqrdvs3dedd70rh8o; granted authorities: role_admin, role_user' 22:56:23,602 debug filterchainproxy:324 - / @ position 11 of 15 in additional filter chain; firing filter: 'anonymousauthenticationfilter' 22:56:23,602 debug anonymousauthenticationfilter:106 - securitycontextholder not populated anonymous token, contained: 'org.springframework.security.authentication.usernamepasswordauthenticationtoken@fec65191: principal: org.springframework.security.core.userdetails.user@586034f: username: admin; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: role_admin,role_user; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@166c8: remoteipaddress: 0:0:0:0:0:0:0:1; sessionid: 1bf4hxwrtqrdvs3dedd70rh8o; granted authorities: role_admin, role_user' 22:56:23,602 debug filterchainproxy:324 - / @ position 12 of 15 in additional filter chain; firing filter: 'sessionmanagementfilter' 22:56:23,602 debug filterchainproxy:324 - / @ position 13 of 15 in additional filter chain; firing filter: 'exceptiontranslationfilter' 22:56:23,602 debug filterchainproxy:324 - / @ position 14 of 15 in additional filter chain; firing filter: 'iproleauthenticationfilter' 22:56:23,603 debug filterchainproxy:324 - / @ position 15 of 15 in additional filter chain; firing filter: 'filtersecurityinterceptor' 22:56:23,603 debug antpathrequestmatcher:151 - checking match of request : '/'; against '/login' 22:56:23,603 debug antpathrequestmatcher:151 - checking match of request : '/'; against '/about' 22:56:23,603 debug filtersecurityinterceptor:218 - secure object: filterinvocation: url: /; attributes: [hasrole('role_user')] 22:56:23,603 debug filtersecurityinterceptor:347 - authenticated: org.springframework.security.authentication.usernamepasswordauthenticationtoken@fec65191: principal: org.springframework.security.core.userdetails.user@586034f: username: admin; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: role_admin,role_user; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@166c8: remoteipaddress: 0:0:0:0:0:0:0:1; sessionid: 1bf4hxwrtqrdvs3dedd70rh8o; granted authorities: role_admin, role_user 22:56:23,608 debug affirmativebased:65 - voter: org.springframework.security.web.access.expression.webexpressionvoter@71ed560f, returned: 1 22:56:23,608 debug filtersecurityinterceptor:242 - authorization successful 22:56:23,608 debug filtersecurityinterceptor:255 - runasmanager did not change authentication object 22:56:23,609 debug filterchainproxy:309 - / reached end of additional filter chain; proceeding original chain 22:56:23,609 debug dispatcherservlet:861 - dispatcherservlet name 'springmvc' processing request [/] 22:56:23,609 debug requestmappinghandlermapping:294 - looking handler method path / 22:56:23,610 debug requestmappinghandlermapping:299 - returning handler method [public java.lang.string com.bay1ts.controller.basecontroller.index()] 22:56:23,610 debug defaultlistablebeanfactory:248 - returning cached instance of singleton bean 'basecontroller' 22:56:23,611 debug dispatcherservlet:947 - last-modified value [/] is: -1 22:56:23,612 debug defaultlistablebeanfactory:1616 - invoking afterpropertiesset() on bean name 'index' 22:56:23,612 debug dispatcherservlet:1241 - rendering view [org.springframework.web.servlet.view.jstlview: name 'index'; url [/web-inf/jsps/index.jsp]] in dispatcherservlet name 'springmvc' 22:56:23,612 debug defaultlistablebeanfactory:248 - returning cached instance of singleton bean 'requestdatavalueprocessor' 22:56:23,613 debug jstlview:166 - forwarding resource [/web-inf/jsps/index.jsp] in internalresourceview 'index' 22:56:23,764 debug dispatcherservlet:996 - completed request 22:56:23,764 debug exceptiontranslationfilter:116 - chain processed 22:56:23,765 debug securitycontextpersistencefilter:105 - securitycontextholder cleared, request processing completed

but why?

in general using security="none" not recommended. instructs spring security ignore specific requests.

one consequence of using security="none" when submit username , password validated, spring security's usernamepasswordauthenticationfilter not process it.

another consequence of using security="none" other types of security no longer in place. example, no security http response headers added.

when use permitall instructs spring security allow access url, spring security still process url. means url still used when processing submitted username / password. means other types of security (i.e. security http response headers) available url.

configuration cleanup

there additional configuration cleanup could/should do. example, each <intercept-url> considered in order , first used. means following:

    <intercept-url pattern="/login" access="permitall" />     <intercept-url pattern="/about" access="permitall" />     <intercept-url pattern="/**" access="hasrole('role_user')" />     <intercept-url pattern="/user/*" access="hasrole('role_user')" />     <intercept-url pattern="/admin/*" access="hasrole('role_admin')"/>

will never reach rules /user/* or /admin/* since /** matches , listed before them.

instead, should order rules in order specific general. example:

    <intercept-url pattern="/login" access="permitall" />     <intercept-url pattern="/about" access="permitall" />     <intercept-url pattern="/user/*" access="hasrole('role_user')" />     <intercept-url pattern="/admin/*" access="hasrole('role_admin')"/>     <intercept-url pattern="/**" access="hasrole('role_user')" />

you can clean of configuration. example, in spring security 4+ expressions="true" enabled default (so not need specify it). example in spring security 4+ no longer need provide role_ hasrole. means can update configuration like:

 <http auto-config="true">     <intercept-url pattern="/resources/**" access="permitall" />     <intercept-url pattern="/login" access="permitall" />     <intercept-url pattern="/about" access="permitall" />     <intercept-url pattern="/user/*" access="hasrole('user')" />     <intercept-url pattern="/admin/*" access="hasrole('admin')"/>     <intercept-url pattern="/**" access="hasrole('user')" />     <custom-filter ref="ipfilter" before="filter_security_interceptor"/>     <remember-me remember-me-parameter="remember-me" token-validity-seconds="604800" data-source-ref="datasource" user-service-ref="customjdbcuserservice"/>     <form-login login-page="/login" default-target-url="/"         password-parameter="pwd" />     <logout logout-success-url="/about" /> </http>

it might worth mentioning /user/* match on /user/123, not match on /user/profile/123. reason, may consider changing pattern /user/**


Comments

Post a Comment

Popular posts from this blog

javascript - Chart.js (Radar Chart) different scaleLineColor for each scaleLine -

-
Image
i try , create radar chart using chart.js has various colours each scaleline, or coloured between scalelines. wondering if possible? from: to: i have working graph, though there doesn't seem method change individual scale lines. kind regards leigh you can extend radar chart type this, so chart.types.radar.extend({ name: "radaralt", initialize: function (data) { chart.types.radar.prototype.initialize.apply(this, arguments); var originalscaledraw = this.scale.draw; var ctx = this.chart.ctx; this.scale.draw = function () { var linewidth = this.linewidth; // bypasses line drawing in originalscaledraw this.linewidth = linewidth; originalscaledraw.apply(this, arguments); ctx.linewidth = this.linewidth; var scale = this; // draw chart.helpers.each(scale.ylabels, function (label, index) { // color of ...
Read more

apache - Error with PHP mail(): Multiple or malformed newlines found in additional_header -

-
suddenly have started receiving above error without changes having been made script. host 1and1 (i know...) the script still works fine on different server, , suspicion there must have been server config change has lead this, although hosts plead ignorance. there's no information on above error @ in google can find - have ideas? server running apache if helps. had similar problem. came out of blue. no php code changed. what changed: php upgraded 5.5.25-1 5.5.26. a security risk in php mail() function has been fixed , newlines in additional_headers allowed no more. because newlines mean: starts email message (and surely don't want inject newlines through headers followed evil message). what have worked fine, e.g. having newlines after headers or passing whole message additional_headers , function no more. solution : sanitize headers. no multiple newlines in additional_headers argument. these count "multiple or malformed newlines":...
Read more

android - Go back to previous fragment -

-
btw second fragment. appear once press button in first fragment. in fragment, if press button on phone, go previous fragment. need guys. in advance. public class listalldoctorfragment extends fragment { button close; @nullable @override public view oncreateview(layoutinflater inflater, viewgroup container, bundle savedinstancestate) { view view = inflater.inflate(r.layout.listalldoctor, container,false); close = (button) view.findviewbyid(r.id.button); close.setonclicklistener(new view.onclicklistener() { @override public void onclick(view view) { android.app.fragmentmanager fm = getfragmentmanager(); fragmenttransaction ft = fm.begintransaction(); shit f2 = new shit(); ft.add(r.id.content_frame, f2); ft.addtobackstack(null); ft.commit(); } }); return view; } } assuming want g...
Read more