Infinite loop using Spring Security - Login page is protected even though it should allow anonymous access

I have a Spring application (Spring version 2.5.6.SEC01, Spring Security version 2.0.5) with the following setup:

web.xml

<welcome-file-list>
  <welcome-file>
    index.jsp
  </welcome-file>
</welcome-file-list>

The index.jsp page is in the WebConte开发者_如何学JAVAnt directory and simply contains a redirect:

<c:redirect url="/login.htm"/>

In the appname-servlet.xml, there is a view resolver to point to the jsp pages in WEB-INF/jsp

<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
  <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
  <property name="prefix" value="/WEB-INF/jsp/" />
  <property name="suffix" value=".jsp" />
</bean>

In the security-config.xml file, I have the following configuration:

<http>
  <!-- Restrict URLs based on role -->
  <intercept-url pattern="/WEB-INF/jsp/login.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/header.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/WEB-INF/jsp/footer.jsp*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/index.jsp" access="ROLE_ANONYMOUS" />
  <intercept-url pattern="/logoutSuccess*" access="ROLE_ANONYMOUS" />

  <intercept-url pattern="/css/**" filters="none" />
  <intercept-url pattern="/images/**" filters="none" />
  <intercept-url pattern="/**" access="ROLE_ANONYMOUS" />

  <form-login login-page="/login.jsp"/>
</http>

<authentication-provider>
    <jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>

However, I can't even navigate to the login page and get the following error in the log:

WARNING: The login page is being protected by the filter chain, but you don't appear to have anonymous authentication enabled. This is almost certainly an error.

I've tried changing the ROLE_ANONYMOUS to IS_AUTHENTICATED_ANONYMOUSLY, changing the login-page to index.jsp, login.htm, and adding different intercept-url values, but I can't get it so the login page is accesible and security applies to the other pages. What do I have to change to avoid this loop?

---

The problem was I was missing the

<anonymous /> 

tag in the http section of the security-config.xml file so I wasn't able to get to the login page anonymously. Once I added this, I was able to get to the login page and authenticate.

---

You should set auto-config attribute:

<http auto-config="true">
    <intercept-url ... />
    ...
</http>

EDIT: To avoid problems with multiple UserDetailsService you probably can replace your <authentication-provider> declaration by something like this:

<authentication-provider user-service-ref = "userService" />

<jdbc-user-service id = "userService" data-source-ref="dataSource" />

---

<intercept-url pattern="/login*" access="ROLE_ANONYMOUS" />

you could have replaced that with

<intercept-url pattern="/login*" filter="none" />

because spring security is right, it doesn't make any sense to protect the login page

---

you can use another sec:http section

<sec:http pattern="/login" security="none" />

or you can use

<sec:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />