Spring : Spring Security in a web application

This page last changed on Jan 09, 2008 by Kees de Kooter


Spring Security, formerly known as Acegi has reached its first milestone. The configuration is radically simplified. Here are my first steps.

New config file

The new config takes advantage of the spring namespace support. Unfortunately the schema is not yet published.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd

    <annotation-driven />

    <http auto-config="true">
        <form-login login-page="/login.jsp"
            authentication-failure-url="/login-failed.jsp" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

        <jdbc-user-service data-source="dataSource"/>


This code was copied from Ben Alex' blog http://blog.interface21.com/main/2007/12/06/whats-new-in-spring-security-2/ entry about Spring Security. Unfortunately it does not work properly. I get the following exception in Firefox:

The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

I had this problem with Acegi as well and solved it by excluding login.jsp from authentication. I was hoping the framework is by now clever enough to not protect its own login page (sad).