HTTP Status 404 - /j_spring_security_check

Hi, with spring mvc 3.0 , jsp , jboss7, I created a login page with user id and password.
When I entered user id and password, it shown the following error:

on page:

HTTP Status 404 - /j_spring_security_check

on console:

09:54:48,820 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] (http--192.168.1.20-8080-1) Access is denied (user is anonymous); redirecting to authentication entry point: org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71) [spring-security-core-3.0.2.RELEASE.jar:]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203) [spring-security-core-3.0.2.RELEASE.jar:]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) [spring-web-3.0.4.RELEASE.jar:3.0.4.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) [spring-web-3.0.4.RELEASE.jar:3.0.4.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:619) [rt.jar:1.6.0_07]

There are 2 issues here, firstly is the on page error, secondly is authentication failed even I have defined user/password in my security-config.xml file.

Here is the security-config.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">


<!-- Configure Spring Security -->
<security:http auto-config="true">
<security:form-login login-page="/auth/login" login-processing-url="/loginProcess"
default-target-url="/categories/search" authentication-failure-url="/auth/login?login_error=1" />
<security:logout logout-url="/auth/logout" logout-success-url="/logoutSuccess" />
<security:intercept-url pattern="/addDelivery" access="ROLE_SUPERVISOR" />
<security:intercept-url pattern="/editDelivery" access="ROLE_SUPERVISOR" />
<security:intercept-url pattern="/deleteDelivery" access="ROLE_SUPERVISOR" />

<security:intercept-url pattern="/j_spring_security_check" access="ROLE_SUPERVISOR" />
</security:http>

<!--
Define local authentication provider, a real app would use an external provider (JDBC, LDAP, CAS, etc)

usernames/passwords are:
sam/mypass
-->
<security:authentication-manager>
<security:authentication-provider>
<security:password-encoder hash="md5" />
<security:user-service>
<security:user name="sam" password="417c7382b16c395bc25b5da1398cf076" authorities="ROLE_USER, ROLE_SUPERVISOR" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>

</beans>

loginpage.jsp:

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %>
<%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %>

<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>

<h1>Login</h1>

<div id="login-error">${error}</div>

<form action="../../j_spring_security_check" method="post" >

<p>
<label for="j_username">Username</label>
<input id="j_username" name="j_username" type="text" />
</p>

<p>
<label for="j_password">Password</label>
<input id="j_password" name="j_password" type="password" />
</p>

<input type="submit" value="Login"/>

</form>

</body>
</html>

Hello After rewritten the security-config.xml file, I don't know why I am still getting ROLE_ANONYMOUS as shown below:

17:07:29,650 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] (http--192.168.1.20-8080-1) Previously Authenticated: org.springframework.security.authenticati
on.AnonymousAuthenticationToken@90541710: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetail
s@166c8: RemoteIpAddress: 192.168.1.105; SessionId: ETssDT2jtiDvsCZ7AHN9tcFM.undefined; Granted Authorities: ROLE_ANONYMOUS
17:07:29,656 DEBUG [org.springframework.security.access.vote.AffirmativeBased] (http--192.168.1.20-8080-1) Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5293e6bc
, returned: -1
17:07:29,657 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] (http--192.168.1.20-8080-1) Access is denied (user is anonymous); redirecting to authentication entry po
int: org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71) [spring-security-core-3.0.2.RELEASE.jar:]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203) [spring-security-core-3.0.2.RELEASE.jar:]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) [spring-security-web-3.0.2.RELEASE.jar:
]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188) [spring-security-web-3.0.2.RELEASE.j
ar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149) [spring-security-web-3.0.2.RELEASE.jar:]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) [spring-web-3.0.4.RELEASE.jar:3.0.4.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) [spring-web-3.0.4.RELEASE.jar:3.0.4.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:619) [rt.jar:1.6.0_07]

It looks like my CustomUserDetailsService class didn't get called.
Here is the CustomUserDetailsService.java class:

@Transactional(readOnly = true) public class CustomUserDetailsService implements UserDetailsService { protected static Logger logger = Logger.getLogger("service"); private UserDAO userDAO = new UserDAO(); /** * Retrieves a user record containing the user's credentials and access. */ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { // Declare a null Spring User UserDetails user = null; try { // Search database for a user that matches the specified username // You can provide a custom DAO to access your persistence layer // Or use JDBC to access your database // DbUser is our custom domain user. This is not the same as Spring's User DbUser dbUser = userDAO.searchDatabase(username); // Populate the Spring User object with details from the dbUser // Here we just pass the username, password, and access level // getAuthorities() will translate the access level to the correct role type user = new User( dbUser.getUsername(), dbUser.getPassword().toLowerCase(), true, true, true, true, getAuthorities(dbUser.getAccess()) ); } catch (Exception e) { logger.error("Error in retrieving user"); throw new UsernameNotFoundException("Error in retrieving user"); } // Return user to Spring for processing. // Take note we're not the one evaluating whether this user is authenticated or valid // We just merely retrieve a user that matches the specified username return user; } /** * Retrieves the correct ROLE type depending on the access level, where access level is an Integer. * Basically, this interprets the access value whether it's for a regular user or admin. * * @param access an integer value representing the access of the user * @return collection of granted authorities */ public Collection<GrantedAuthority> getAuthorities(Integer access) { // Create a list of grants for this user List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2); // All users are granted with ROLE_USER access // Therefore this user gets a ROLE_USER by default logger.debug("Grant ROLE_USER to this user"); authList.add(new GrantedAuthorityImpl("ROLE_USER")); // Check if this user has admin access // We interpret Integer(1) as an admin user if ( access.compareTo(1) == 0) { // User has admin access logger.debug("Grant ROLE_ADMIN to this user"); authList.add(new GrantedAuthorityImpl("ROLE_ADMIN")); } // Return list of granted authorities return authList; } }

security-config.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">


<!-- Configure Spring Security -->
<security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" >
<security:intercept-url pattern="/addDelivery" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/editDelivery" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/deleteDelivery" access="hasRole('ROLE_ADMIN')" />

<!-- <security:intercept-url pattern="/j_spring_security_check" access="ROLE_SUPERVISOR" />-->
<security:form-login
login-page="/auth/login"
authentication-failure-url="/auth/login?error=true"
default-target-url="/deliveries"/>

<security:logout
invalidate-session="true"
logout-success-url="/auth/login"
logout-url="/auth/logout"/>
</security:http>


<security:authentication-manager>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-provider user-service-ref="customUserDetailsService">
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>

</security:authentication-manager>

<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>

<!-- A custom service where Spring will retrieve users and their corresponding access levels -->
<bean id="customUserDetailsService" class="deliveries.manager.service.CustomUserDetailsService"/>

</beans>

Any suggestion is very appreciated.
Thanks
Sam

Wow two confusions in a row for me in this forum.

Is this the same question here
https://coderanch.com/t/596796/Spring/No-bean-named-springSecurityFilterChain-defined

That I posted to already, or is this a different one???

Thanks

Mark

Yes similar problem. I have posted a security-config.xml file here.
Do yo know what is wrong with my spring security configuration?
Thanks
Sam

As I said in the other thread. PLEASE POST with the CODE tags. I can't read your config or code at all without any indentation. It looks ugly and unreadable.

OK, at first I was looking at the config and didn't see a <security:login-page tag. What I did see is that you secured the security check url. How can you run the security check to login if you have to be logged in to login. Basically, you do not secure the login page or j_spring_security_check. It looks like you might have solved that part later on, but again I can't read your config because it is not posted correctly.

In
><security:http auto-config="true"
you do not need
auto-config="true"

This could be a big part of why you get ROLE_ANONYMOUS as auto-config will also allow anonymous login.

Your custom UserDetailsService actually looks pretty good. One gotcha, that looks like you avoided was the prefix "ROLE_". By default all roles have to be prefixed with that. There is a way to override that but you are fine there.

Yeah, I think this is a different question than your other post, iirc.

Mark>

Sorry using incorrect code tag.
Here is my security-config.xml file :

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <!-- Configure Spring Security --> <security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" > <security:intercept-url pattern="/auth/login" access="permitAll"/> <security:intercept-url pattern="/addDelivery" access="hasRole('ROLE_ADMIN')" /> <security:intercept-url pattern="/editDelivery" access="hasRole('ROLE_ADMIN')" /> <security:intercept-url pattern="/deleteDelivery" access="hasRole('ROLE_ADMIN')" /> <!-- <security:intercept-url pattern="/j_spring_security_check" access="ROLE_SUPERVISOR" />--> <security:form-login login-page="/auth/login" authentication-failure-url="/auth/login?error=true" default-target-url="/deliveries"/> <security:logout invalidate-session="true" logout-success-url="/auth/login" logout-url="/auth/logout"/> </security:http> <security:authentication-manager> <!-- Declare an authentication-manager to use a custom userDetailsService --> <security:authentication-provider user-service-ref="customUserDetailsService"> <security:password-encoder ref="passwordEncoder"/> </security:authentication-provider> </security:authentication-manager> <!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database --> <bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/> <!-- A custom service where Spring will retrieve users and their corresponding access levels --> <bean id="customUserDetailsService" class="deliveries.manager.service.CustomUserDetailsService"/> </beans>

Hi I tried to resolve that by changing url-pattern from / to /* in web.xml:

<servlet-mapping> <servlet-name>dispatcherServlet</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping>

But it reported " No mapping found for HTTP request with URI [/DeliveriesManager-web/WEB-INF/views/home.jsp] in DispatcherServlet with name 'dispatcherServlet'
"
when I started up the home page.

Cool you found the CODE tags.

I guess, I'll just post my code and you can compare.

First the filter in my Web.xml
yours would be "/*" if you want your app to use the root context. Make sure your DispatcherServlet has the same mapping

<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>


Here is my security config with a couple of security info removed. But I have a custom UserDetailsService class which is a UserRepository which is not defined in xml as a bean, so you don't see that config in my security xml file. But as you can see if is very very simple. This is for the URLs

Also it goes without saying the security xsd is the default, no prefix.
<http> <form-login login-page="/login.jsp" /> <anonymous /> <intercept-url pattern="/login.jsp" filters="none"/> <intercept-url pattern="/something/inner/*" access="ROLE_ADMIN"/> <intercept-url pattern="/something/*" access="ROLE_ADMIN, ROLE_USER"/> <intercept-url pattern="/**" access="hasAnyRole(ROLE_GEORGE, ROLE_JOHN, ROLE_PAUL, ROLE_RINGO)" /> <logout logout-url="/j_spring_security_logout" logout-success-url="/home" /> </http>

Hope that helps

Mark