Different authentication on localhost and public IP
I have a problem that seems to be something like this , but I am not using AJAX for login / authentication.
When I access my local Tomcat 7 instance, I can correctly evaluate this block to true when the user is not logged in:
<security:authorize access="!isFullyAuthenticated()">
<div class="col-xs-12 col-md-2 login_button">
<a href="${pageContext.request.contextPath}/login"><button class="btn btn-success" style="line-height: 1.42857"><spring:message code="label.logIn"/> <i class="fa fa-sign-in"></i></button></a>
</div>
</security:authorize>
However, it evaluates to false when I deploy it to our public QA and public instances, hiding the button. I also tried changing access to !isAuthenticated()
, but the behavior didn't change.
I am using Spring 4.1.0.RELEASE and Spring Security 3.2.4.RELEASE. I'm not entirely sure, but perhaps this behavior was not present in the previous version of Spring.
What can cause a difference in block code evaluation between servers?
UPDATE:
Spring Security Configuration:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<beans:bean id="authSuccessHandler" class="com.companyname.web.RoleBasedAuthenticationSuccessHandler" />
<http auto-config="true" use-expressions="true">
<form-login login-page="/login"
authentication-success-handler-ref="authSuccessHandler"
authentication-failure-url="/login?login_error=true"
login-processing-url="/j_spring_security_check" />
<intercept-url pattern="/sample/**" access="hasAnyRole('ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
<intercept-url pattern="/other/**" access="hasAnyRole('ROLE_OTHER', 'ROLE_CO_OTHER','ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
<logout logout-success-url="/index" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder ref="passwordEncoder" />
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailsService"
class="com.companyname.service.UserDetailsServiceImpl" />
<beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator">
<beans:bean id="permissionEvaluator" class="com.companyname.web.security.MethodsPermissionEvaluator"/>
</beans:property>
</beans:bean>
</beans:beans>
EDIT: Also tried Spring Security 3.2.8.RELEASE but no luck.
source to share
This issue was resolved by another developer by updating the web.xml to contain the Spring security filter chain above in a file:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<servlet-name>Spring Security Filter Chain</servlet-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
We also had to make sure that the updated file was deployed in the correct environment. Differences in environments are attributed to different web.xml files for each environment.
source to share