I am using PAS on OE 11.6 (SP2) for testing a REST application (installed as ROOT webapp) and have setup security using oeableSecurity-form-oerealm. Whenever I login successfully the application is always redirecting me to favicon.ico (in root folder) and not index.html.
Auth model config is as follows:
<!-- authentication model --> <form-login login-page="/static/auth/login.jsp" login-processing-url="/static/auth/j_spring_security_check" always-use-default-target="true" default-target-url="/index.html" authentication-failure-url="/static/auth/loginfail.html" authentication-success-handler-ref="OEAuthnSuccessHandler" authentication-failure-handler-ref="OEAuthnFailureHandler" />
<logout logout-url="/static/auth/j_spring_security_logout" success-handler-ref="OELogoutSuccessHandler" invalidate-session="true" delete-cookies="JSESSIONID" />
I can then change the URL to access the index.html which allows me to continue.
Possible explanation which I've run into. Not specifically with PAS, but this is probably the same issue.
This is due to a combination of things.
1. when the browser first your website it sends the first HTTP request to get favicon.ico, not the actual page you requested
2. an HTTP session is created and the first requested object is stored with the session.
3. you get a redirect to login
4. the login completes and you get redirected back to the first requested object. In this case it is the favicon.ico.
The fix for this is to ensure that your favicon.ico is not protected by security and is ignored for session management
There's lots of stuff there on google about this.
stack overflow suggests a fix to add an exception
<http pattern="/favicon.ico" security="none" />https://stackoverflow.com/questions/11242609/default-spring-security-redirect-to-favicon
Thanks that sorted it (ensuring favicon.ico is not a secured resource). On another point, on authentication failure the url in authentication-failure-url is not being used. I get a PASS 401 error page:
An error occurred while executing your request!
401 - Unauthorized: authentication failed due to bad credentials - POST /static/auth/j_spring_security_check