3

We're developing a website using Java and Spring. As a server, we're using a custom server based on Tomcat 6.0.29. In the web.xml file there is this custom authentication filter declared: 

<security:custom-filter ref="extraFieldAuthenticationProvider"
        before="FORM_LOGIN_FILTER"/>

along with the following: 

<security:form-login login-page="/view/page/login"
        default-target-url="/view/page/display"
        authentication-failure-handler-ref="CustomAuthenticationFailureHandler"
        authentication-success-handler-ref="CustomAuthenticationSuccessHandler"/>

The following is the extraFieldAuthenticationProvider class: 

public class ExtraFieldAuthenticationFilter
        extends UsernamePasswordAuthenticationFilter {
    private final static Logger LOG =
            Logger.getLogger(ExtraFieldAuthenticationFilter.class.getName());

    @Override
    protected String obtainUsername(HttpServletRequest request) {
        String userName = super.obtainUsername(request);
        String type = request.getParameter(WebConstants.PARAM_J__TYPE);
        return StringUtils.join(new String[]{type, userName});
    }
}

The problem is that on an unsuccessful login, I'm getting a Tomcat 401 error. Control is not being given to CustomAuthenticationFailureHandler.

Any ideas plz? (Bdw...I'm relatively new to Spring Security, I'm debugging another person's code)

Thanks a lot!

Krt_Malta

Donal Fellows
  • 133,037
  • 18
  • 149
  • 215
Krt_Malta
  • 9,265
  • 18
  • 53
  • 91

1 Answers1

1

As a server, we're using a custom server based on Tomcat 6.0.29.

You first need to verify if the problem is with the configuration of your Tomcat server (for example, is Tomcat authentication set up, is it expecting you to present a client certificate (clientAuth="true" in your Tomcat server configuration), etc.

If you can verify that the control is or isn't getting past initial Tomcat authentication to Spring Security, then there may be a different solution. You haven't provided us with all the relevant code, but it looks like the code is checking for an additional form parameter to be passed along with the authentication request. This would be defined in the WebConstants.PARAM_J__TYPE constant.

Peter Mularien
  • 2,578
  • 1
  • 25
  • 34