I have a typical Spring MVC running on Tomcat. After switching the system to run on HTTPS (everything is working OK under plain HTTP), the login stopped working. The reason is that Spring's SecurityContextHolder.getContext().getAuthentication()
object becomes null
after RedirectView
is used.
I already searched for the answer, the only one I found suggested to set property redirectHttp10Compatible
to false
in the viewResolver
bean setup. This did not help.
I also checked that throughout redirect, my session id remains the same and the connection remains secure, i.e. it is not an issue (at least as far as I could tell) of a change between http and https or vice versa.
What could be the problem?
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true">
<intercept-url pattern="/**" requires-channel="https" />
<intercept-url pattern="/index*" access="ROLE_USER"/>
<intercept-url pattern="/dashboard*" access="ROLE_USER" requires-channel="https"/>
<intercept-url pattern="/login*" access="ROLE_GUEST, ROLE_ANONYMOUS, ROLE_USER"/>
<intercept-url pattern="/signin*" access="ROLE_GUEST, ROLE_ANONYMOUS, ROLE_USER"/>
<intercept-url pattern="/signup*" access="ROLE_GUEST, ROLE_ANONYMOUS, ROLE_USER"/>
<form-login login-page="/home"
default-target-url="/home"
authentication-failure-url="/home?authentication_error=true"
authentication-success-handler-ref="redefineTargetURL"
/>
<anonymous username="guest" granted-authority="ROLE_GUEST" key="anonymousKey"/>
<logout invalidate-session="true" logout-success-url="/logout?message=Logout Successful" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService" />
</authentication-manager>
<beans:bean id="redefineTargetURL" class="com.groupskeed.common.RedefineTargetURL" />
<beans:bean id="userDetailsService" class="com.groupskeed.security.UserDetailsServiceImpl" />
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…