Получение доступа запрещено на странице входа

Question

Я использую Spring Security 3 с JSF 2 ICEFaces 2 и я настроил свое приложение следующим образом:

1. Все страницы защищены (требуется аутентификация), кроме входа в систему.

2. Страница входа не отфильтрована, поэтому любой пользователь может получить к ней доступ.

проблема: при попытке запустить приложение пользователь перенаправляется на домашнюю страницу, но он не вошел в систему, поэтому он перенаправлен на страницу входа, страница загружается нормально, и я использую Spring Security в режиме отладки, поэтому я могу видеть доступ запрещен, исключение.

вот мой код:

<beans:beans xmlns="http://www.springframework.org/schema/security"  
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-3.0.4.xsd">


    <global-method-security pre-post-annotations="enabled" />   

    <!--  key configuration here is an entry point to be used by security intercepts -->
    <http use-expressions="true"  auto-config="false">

    <session-management session-fixation-protection="none"/>

    <remember-me  token-validity-seconds="1209600"/>

    <!-- Exclude the login page from the security check -->
    <intercept-url pattern="/faces/login.xhtml" access="permitAll"/>

    <!-- All pages requires authentication (not anonymous user) -->
    <intercept-url pattern="/faces/**" access="isAuthenticated()" />

    <intercept-url pattern="/images/**" filters="none" />
    <intercept-url pattern="/scripts/**" filters="none" />
    <intercept-url pattern="/css/**" filters="none" />  

    <!-- Returns true if the user is not anonymous -->


    <access-denied-handler error-page="/error"/>

    <form-login default-target-url="/users"  
    always-use-default-target="true"            
        login-processing-url="/j_spring_security_check"         
        login-page="/faces/login.xhtml"
        authentication-failure-url="/login?login_error=1"                                                               
    />

    <logout logout-url="/logout" logout-success-url="/login" />     
</http>

<authentication-manager alias="authenticationManager">          
<authentication-provider user-service-ref="userDetailsServiceImpl">
</authentication-provider>
</authentication-manager>


</beans:beans>

и вот отладка:

DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /css/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /**; matched=true
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [http-8080-5] (HttpSessionSecurityContextRepository.java:142) - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-5] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@118eb00c. A new one will be created.
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [http-8080-5] (DefaultSavedRequest.java:336) - pathInfo: arg1=/javax.faces.resource/compat.js; arg2=/login.xhtml (property not equals)
DEBUG [http-8080-5] (HttpSessionRequestCache.java:72) - saved request doesn't match
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 6 of 9 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 7 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [http-8080-5] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [http-8080-5] (DefaultFilterInvocationSecurityMetadataSource.java:173) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-5] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/login.xhtml'; pattern is /faces/login.xhtml; matched=true
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:191) - Secure object: FilterInvocation: URL: /faces/login.xhtml; Attributes: [permitAll]
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:292) - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS
DEBUG [http-8080-5] (AffirmativeBased.java:53) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@20688e91, returned: 1
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:213) - Authorization successful
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:223) - RunAsManager did not change Authentication object
DEBUG [http-8080-5] (FilterChainProxy.java:362) - /faces/login.xhtml reached end of additional filter chain; proceeding with original chain
DEBUG [http-8080-5] (ExceptionTranslationFilter.java:100) - Chain processed normally
DEBUG [http-8080-5] (HttpSessionSecurityContextRepository.java:338) - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
DEBUG [http-8080-5] (SecurityContextPersistenceFilter.java:89) - SecurityContextHolder now cleared, as request processing completed
DEBUG [http-8080-5] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-2] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; to: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'
DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /images/**; matched=false
DEBUG [http-8080-3] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/combined.css'; to: '/faces/javax.faces.resource/combined.css'
DEBUG [http-8080-5] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-2] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /images/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /scripts/**; matched=false
DEBUG [http-8080-3] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /images/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-2] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; to: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'
DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /css/**; matched=false
DEBUG [http-8080-3] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/combined.css'; to: '/faces/javax.faces.resource/combined.css'
DEBUG [http-8080-5] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-2] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /scripts/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:202) - Candidate is: '/faces/login.xhtml'; pattern is /**; matched=true
DEBUG [http-8080-3] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /scripts/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; to: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'
DEBUG [http-8080-5] (HttpSessionSecurityContextRepository.java:142) - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-3] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/combined.css'; to: '/faces/javax.faces.resource/combined.css'
DEBUG [http-8080-5] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@118eb00c. A new one will be created.
DEBUG [http-8080-2] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /css/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /css/**; matched=false
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; to: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:195) - Converted URL to lowercase, from: '/faces/javax.faces.resource/combined.css'; to: '/faces/javax.faces.resource/combined.css'
DEBUG [http-8080-5] (DefaultSavedRequest.java:336) - pathInfo: arg1=/javax.faces.resource/compat.js; arg2=/login.xhtml (property not equals)
DEBUG [http-8080-2] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /**; matched=true
DEBUG [http-8080-5] (HttpSessionRequestCache.java:72) - saved request doesn't match
DEBUG [http-8080-3] (FilterChainProxy.java:202) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /**; matched=true
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 6 of 9 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 1 of 9 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 7 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:142) - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-5] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [http-8080-3] (HttpSessionSecurityContextRepository.java:142) - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:375) - /faces/login.xhtml at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@118eb00c. A new one will be created.
DEBUG [http-8080-5] (DefaultFilterInvocationSecurityMetadataSource.java:173) - Converted URL to lowercase, from: '/faces/login.xhtml'; to: '/faces/login.xhtml'
DEBUG [http-8080-3] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@118eb00c. A new one will be created.
DEBUG [http-8080-5] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/login.xhtml'; pattern is /faces/login.xhtml; matched=true
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:191) - Secure object: FilterInvocation: URL: /faces/login.xhtml; Attributes: [permitAll]
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 2 of 9 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:292) - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [http-8080-5] (AffirmativeBased.java:53) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@20688e91, returned: 1
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 3 of 9 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:213) - Authorization successful
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [http-8080-5] (AbstractSecurityInterceptor.java:223) - RunAsManager did not change Authentication object
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 4 of 9 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [http-8080-5] (FilterChainProxy.java:362) - /faces/login.xhtml reached end of additional filter chain; proceeding with original chain
DEBUG [http-8080-2] (DefaultSavedRequest.java:336) - pathInfo: arg1=/javax.faces.resource/compat.js; arg2=/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css (property not equals)
DEBUG [http-8080-2] (HttpSessionRequestCache.java:72) - saved request doesn't match
DEBUG [http-8080-3] (DefaultSavedRequest.java:336) - pathInfo: arg1=/javax.faces.resource/compat.js; arg2=/javax.faces.resource/combined.css (property not equals)
DEBUG [http-8080-3] (HttpSessionRequestCache.java:72) - saved request doesn't match
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 5 of 9 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 6 of 9 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 6 of 9 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 7 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 7 of 9 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [http-8080-2] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3 at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [http-8080-3] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [http-8080-2] (DefaultFilterInvocationSecurityMetadataSource.java:173) - Converted URL to lowercase, from: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; to: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG [http-8080-2] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /faces/login.xhtml; matched=false
DEBUG [http-8080-3] (FilterChainProxy.java:375) - /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG [http-8080-2] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css'; pattern is /faces/**; matched=true
DEBUG [http-8080-3] (DefaultFilterInvocationSecurityMetadataSource.java:173) - Converted URL to lowercase, from: '/faces/javax.faces.resource/combined.css'; to: '/faces/javax.faces.resource/combined.css'
DEBUG [http-8080-2] (AbstractSecurityInterceptor.java:191) - Secure object: FilterInvocation: URL: /faces/javax.faces.resource/yui2-skin-sam-button/assets/button-core.css?ln=yui/2in3; Attributes: [isAuthenticated()]
DEBUG [http-8080-3] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /faces/login.xhtml; matched=false
DEBUG [http-8080-3] (DefaultFilterInvocationSecurityMetadataSource.java:200) - Candidate is: '/faces/javax.faces.resource/combined.css'; pattern is /faces/**; matched=true
DEBUG [http-8080-3] (AbstractSecurityInterceptor.java:191) - Secure object: FilterInvocation: URL: /faces/javax.faces.resource/combined.css?ln=org.icefaces.component.util; Attributes: [isAuthenticated()]
DEBUG [http-8080-3] (AbstractSecurityInterceptor.java:292) - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9057bc48: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: A5721C800637CFCD4F6EF9E512468F64; Granted Authorities: ROLE_ANONYMOUS
DEBUG [http-8080-3] (AffirmativeBased.java:53) - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@20688e91, returned: -1
DEBUG [http-8080-3] (ExceptionTranslationFilter.java:153) - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:112)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Thread.java:619)

Answer 1

Вы должны определить, что сама страница входа доступна без входа в систему.

<security:intercept-url pattern="/faces/login.xhtml" access="permitAll" />

И поставить эту строку перед строкой «catch all»:

<intercept-url pattern="/faces/**" access="isAuthenticated()" />

Справочный документговорит, что URL совпадают в том же порядке, что и объявленный!

---

Разница между атрибутом access и filter - необходимо знать, что у пружинной защиты есть полная цепочка фильтров, а accessDesisionFilterтолько один из них.(Эта полная цепочка фильтров инициируется <security:http auto="true">

Использование filters = "none" работает путем создания пустой цепочки фильтров в FilterChainProxy Spring Security, тогда как атрибуты доступа используются для настройки FilterSecurityInterceptor водна цепочка фильтров, которая создается конфигурацией пространства имен. Две применяются независимо, поэтому, если у вас есть ограничение доступа для подшаблона шаблона, который имеет атрибут filters = "none", ограничение доступа будет игнорироваться, дажеесли он указан первым. Невозможно применить атрибут filters = "none" к шаблону / **, так как он используется цепочкой фильтров пространства имен. В версии 3.1 все более гибко. Вы можете определить несколько цепочек фильтров.и атрибут filters больше не поддерживается.