wood burning stoves 2.0*
The moose likes Spring and the fly likes BadCredentialsException after migrating to Spring Security 3.1 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "BadCredentialsException after migrating to Spring Security 3.1 " Watch "BadCredentialsException after migrating to Spring Security 3.1 " New topic

BadCredentialsException after migrating to Spring Security 3.1

Darshan Shroff

Joined: Nov 25, 2009
Posts: 12

I have recently upgraded to spring-security-xxx-3.1.0 from 3.0.5.
In 3.0.5, i was using filters=none tag in the intercept-url tag for unprotecting urls.
Since it is not availible now in 3.1, i had to modify my security config xml to use security=none and it now looks as below :-

At app startup, the login page shows up. User Enters details. Login is successful. home.action is displayed.
I try browsing in the application, trying any other secured xyz.action. The application logs out automatically, with login page being shown.

The error stack trace i get from Spring is as below :-

Any pointers as to what i am doing wrong. ?
Not much help available on the web for 3.1. I am thinking of going back to 3.0.5.

Darshan Shroff
Guy Korland

Joined: Aug 16, 2012
Posts: 1
Did you find a way to work around this issue?
Darshan Shroff

Joined: Nov 25, 2009
Posts: 12

I see my application is still running on 3.0.5. So i probably gave up after trying for a couple of hours.

Bill Gorder

Joined: Mar 07, 2010
Posts: 1646

From the Spring Security doc

´╗┐The use of multiple <http> elements is an important feature, allowing the namespace to simultaneously support both stateful and stateless paths within the same application, for example. The previous syntax, using the attribute filters="none" on an intercept-url element is incompatible with this change and is no longer supported in 3.1.

Read the below link for more details:

also a post here on the same:

Try adding a * after your patterns

also for the login page you can try adding a intercept URL for it although I don't think you should have to do this.

[How To Ask Questions][Read before you PM me]
I agree. Here's the link: http://aspose.com/file-tools
subject: BadCredentialsException after migrating to Spring Security 3.1
Similar Threads
applicationContext.xml - Can not find definition for element 'beans'
A better way to display a login failure message
Error: The matching wildcard is strict, but no declaration can be found for element 'remember-me'
How to implement Spring Form Based Authenticationand Authorization without session scope ?
RichFaces + Spring Security -- Problem Load RichFaces