spring security - sessionid url rewriting with tomcat 7

we've fought with following problem using spring security 1.2.1, grails 1.3.7 and tomcat 7.0.22. on our dev machines we had no problems during login in our app. i think the grails tomcat plugin uses a 6.x verion of tomcat. we defined following test cace for the login process:

• delete all cookies
• login

as you can see a very simple test case :-). the result of the test looks as follows: the user was successfully authenticated, but after login gets redirected to the access denied page. the session was created, because the user was able to perform other permitted actions and the log shows a successful authentification (enabeld spring secured log on debug level). so why does the redirect to the access denied page happen?

tocmat 7.x assumes that no cookies are activated and adds the sessionid to the redirect url and addtionally set the cookie via "set cookie" http header. that's the poi开发者_开发知识库nt where the spring security plugin is confused.

http response of j_spring_security_check

HTTP/1.1 302 Moved Temporarily
Connection: Keep-Alive
Content-Length: 0
Date: Fri, 14 Oct 2011 06:41:59 GMT
**Location: https://myserver/main;jsessionid=8341CD832CAF4569A95BBF436395744E**
Server: Apache-Coyote/1.1
**Set-Cookie: JSESSIONID=8341CD832CAF4569A95BBF436395744E;** Path=/etsweb/; HttpOnly

followed by a http get https://myserver/main;jsessionid=8341CD832CAF4569A95BBF436395744E

http response

HTTP/1.1 302 Moved Temporarily
Connection: Keep-Alive
Content-Length: 0
Date: Fri, 14 Oct 2011 06:41:59 GMT
Location: https://myserver/login/denied
Server: Apache-Coyote/1.1

the solution was to disable url rewriting by setting following tag in web.xml file

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

I don't know whether this is a spring sec bug or a thinking bug.

---

Also, make sure wild card in your security settings is using IS_AUTHENTICATED_ANONYMOUSLY, and not ROLE_ANONYMOUS.

'/**': ['IS_AUTHENTICATED_ANONYMOUSLY']