Spring 3.0 security not working with annotation based controllers

I am trying to add authentication support to my Spring 3.0 web application but nothing from http:basic to more elaborate authentication is working. the examples provided in Spring documentation do not work.

is there a different way of enabling security when using annotated controllers?

I have springSecurityFilterChain mapping in web.xml, i've got spring security jar files in my library.

web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <!--
        Key of the system property that should specify the root directory of this
        web app. Applied by WebAppRootListener or Log4jConfigListener.
    -->
    <context-param>
        <param-name>webAppRootKey</param-name>
        <param-value>WebIDE.root</param-value>
    </context-param>

    <!-- Reads request input using UTF-8 encoding -->
    <filter>
        <filter-name>characterEncodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
        <init-param>
            <param-name>forceEncoding</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>characterEncodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- Map URL for views: display /index instead of /app/index as
          suggested by the dispatcher -->
    <filter>
        <filter-name>UrlRewriteFilter</filter-name>
        <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>UrlRewriteFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>


    <!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/app-config.xml
        /WEB-INF/applicationContext-security.xml</param-value>
    </context-param>

  <context-param>
    <param-name>log4jConfigLocation</param-name>
    <param-value>/WEB-INF/classes/log4j.properties</param-value>
  </context-param>

  <listener>
        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
  </listener>


    <!-- Mapping required for the security feature to work -->
   <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- Creates the Spring Container shared by all Servlets and Filters -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- set up dispatcher servlet -->
    <servlet>
        <servlet-name>app dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/mvc-config.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>app dispatcher</servlet-name>
        <url-pattern>/app/*</url-pattern>
    </servlet-mapping>

    <mime-mapping>
        <extension>jnlp</extension>
        <mime-type>application/x-java-jnlp-file</mime-type>
    </mime-mapping>

    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>

    </web-app>

application-security.xml:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.sp开发者_如何学Goringframework.org/schema/security/spring-security-3.1.xsd">

<!-- enable web security for defined roles -->

  <http auto-config='true'>
    <intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/**" access="ROLE_USER" />
    <form-login login-page='/login.jsp' default-target-url='/'  />
  </http>


<!-- define test logins TO REMOVE -->
 <authentication-manager>
    <authentication-provider>
      <user-service>
        <user name="jimi" password="jimi" authorities="ROLE_USER, ROLE_ADMIN" />
        <user name="bob" password="bob" authorities="ROLE_USER" />
      </user-service>
    </authentication-provider>
  </authentication-manager>

</beans:beans>

log4j.properties

log4j.rootLogger=DEBUG, stdout, logfile

log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - <%m>%n

log4j.appender.logfile=org.apache.log4j.RollingFileAppender
log4j.appender.logfile.File=${WebIDE.root}\WEB-INF\resources\WebIDE.log
log4j.appender.logfile.MaxFileSize=512KB
# Keep three backup files.
log4j.appender.logfile.MaxBackupIndex=3
# Pattern to output: date priority [category] - message
log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
log4j.appender.logfile.layout.ConversionPattern=%d %p [%c] - %m%n

log4j.logger.org.springframework.security=DEBUG

all my jsp files are saved in WEB-INF/views/

DEBUGGING INFO

DEBUG [org.springframework.web.filter.DelegatingFilterProxy] - Initializing filter 'springSecurityFilterChain'

DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Returning cached instance of singleton bean org.springframework.security.filterChainProxy'

DEBUG [org.springframework.web.filter.DelegatingFilterProxy] - Filter 'springSecurityFilterChain' configured successfully

DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Returning cached instance of singleton bean'org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0'

DEBUG[org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource] - Adding web access control expression 'ROLE_USER',  for Ant [pattern='/']
DEBUG[org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource] - Adding web access control expression 'ROLE_USER', for org.springframework.security.web.util.AnyRequestMatcher@2433a1
DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Finished creating instance of bean '(inner bean)#6'

INFO [org.springframework.security.config.http.DefaultFilterChainValidator] - Checking whether login URL '/spring_security_login' is accessible with your configuration
DEBUG [org.springframework.security.config.http.DefaultFilterChainValidator] - Default generated login page is in use
DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Finished creating instance of bean 'org.springframework.security.filterChainProxy'
DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Returning cached instance of singleton bean 'org.springframework.security.provisioning.InMemoryUserDetailsManager#0'
DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Returning cached instance of singleton bean 'org.springframework.security.authentication.dao.DaoAuthenticationProvider#0'
DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Returning cached instance of singleton bean 'org.springframework.security.authentication.DefaultAuthenticationEventPublisher#0'
2010-11-29 07:57:58,744 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Returning cached instance of singleton bean 'org.springframework.security.authenticationManager'

DEBUG [org.springframework.web.context.support.XmlWebApplicationContext] - Unable to locate LifecycleProcessor with name 'lifecycleProcessor': using default 

[org.springframework.context.support.DefaultLifecycleProcessor@ca2c3d]
DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Returning cached instance of singleton bean 'lifecycleProcessor'
DEBUG [org.springframework.web.context.ContextLoader] - Published root WebApplicationContext as ServletContext attribute with name 

[org.springframework.web.context.WebApplicationContext.ROOT]
INFO [org.springframework.web.context.ContextLoader] - Root WebApplicationContext: initialization completed in 9316 ms
DEBUG [org.springframework.web.filter.CharacterEncodingFilter] - Initializing filter 'characterEncodingFilter'
DEBUG [org.springframework.web.filter.CharacterEncodingFilter] - Filter 'characterEncodingFilter' configured successfully
DEBUG [org.springframework.web.filter.DelegatingFilterProxy] - Initializing filter 'springSecurityFilterChain'
DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Returning cached instance of singleton bean 'org.springframework.security.filterChainProxy'
DEBUG [org.springframework.web.filter.DelegatingFilterProxy] - Filter 'springSecurityFilterChain' configured successfully
DEBUG [org.springframework.web.servlet.DispatcherServlet] - Initializing servlet 'app dispatcher'
INFO [org.springframework.web.servlet.DispatcherServlet] - FrameworkServlet 'app dispatcher': initialization started

Have you seen this Spring Security tutorial?

Spring Security - Tutorial: Adding Security to Spring Petclinic

The first thing I would try, is to turn on DEBUG level logging for Spring Security:

log4j.logger.org.springframework.security=DEBUG

Which will give you a better idea if some of your wiring is not working properly.

You have to make sure your web.xml has the right order of things. Add following to the very beginning of the web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/j2ee"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd">

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

<filter>
    <filter-name>filterChainProxy</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>filterChainProxy</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

You already have the "ContextLoaderListener" in your configuration so you have to move it up. Let me know what happens after you done this. You might have to configure the "filterChainProxy" bean in the application context.

Though this is and old question, it might be helpful to others. I found dot(.) in the url causes Spring Security to fail.

Here is my similar question I posted.