springspring-securityredirect-loop

WARNING DefaultFilterChainValidator.checkLoginPageIsntProtected Anonymous access to the login page doesn't appear to be enabled

I am creating a plain Login form for spring security authentication:

Here is security-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd">


<security:http auto-config="false" use-expressions="true">
    <security:intercept-url pattern="/login2.xhtml" access="hasRole('IS_AUTHENTICATED_ANONYMOUSLY')"/>
    <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
    <security:form-login login-page="/login2.xhtml"/>
</security:http>

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="sajjad" authorities="ROLE_USER" password="abcdef"/>
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

I want to authenticate all requests of application to be user

Here is in web.xml

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext.xml
        /WEB-INF/security-config.xml
    </param-value>
</context-param>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!-- SPRING SECURITY RELATED CONFIG-->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- JSF Servlet is defined to container -->

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<!-- Mapping with servlet and url for the http requests. -->
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

But problem is when i request any page, the browser show this error:

(The url is http://localhost:8080/login2.xhtml)

enter image description here

Tomcat Catalina Log

WARNING [RMI TCP Connection(18)-127.0.0.1] org.springframework.security.config.http.DefaultFilterChainValidator.checkLoginPageIsntProtected Anonymous access to the login page doesn't appear to be enabled.
This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page.

(Simulated access was rejected: 
org.springframework.security.access.AccessDeniedException: Access is denied)
Solution

  • when you first access login; the user doesnt have any role(since he isnt logged in spring security yet) the login page should not restricted by role; it should be available to all user.