loadUserByUsername is not invoked

Question

i am using spring security 3 when i enter wrong data user is redirected to login-failure-link but spring security doesn't invoke the loadUserByUsername method ? so how does the authentication happens and spring knows that credentials are wrong ? or i have something wrong with my configuration, please guide.

login page:

<form action="/myapp/j_spring_security_check">
                        <h:graphicImage id="graphicImage1" style="height: 322px; left: 0px; top: 0px; position: absolute" url="/resources/images/LoginImage.jpg" width="560"/>
                        <h:outputLabel for="j_username" id="outputLabel1" style="left: 48px; top: 120px; position: absolute" value="Username:"/>
                        <h:outputLabel for="j_password" id="outputLabel2" style="left: 48px; top: 168px; position: absolute" value="Password:"/>
                        <h:inputText binding="#{login.username}" id="j_username" required="true"
                            style="left: 142px; top: 118px; position: absolute; width: 237px" />
                        <h:inputSecret binding="#{login.password}" id="j_password" required="true" style="left: 142px; top: 166px; position: absolute; width: 237px"/>
                        <h:commandButton   id="loginBtn" style="left: 144px; top: 240px; position: absolute" value="Login"/>
                        <h:commandButton action="#{login.reset}" id="resetBtn" style="position: absolute; left: 360px; top: 240px" value="Reset"/>
                        <h:outputText id="errorMessage" style="left:0px;top:300px;position:absolute"/>
                        <h:message errorClass="errorMessage"  for="j_username" fatalClass="fatalMessage" id="messages1" infoClass="infoMessage" showSummary="false"
                            style="height: 43px; left: 24px; top: 288px; position: absolute; width: 523px;color:red;" warnClass="warnMessage"/>
                      </form>

security.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"  
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.0.4.xsd">


        <global-method-security pre-post-annotations="enabled" />   

        <!--  key configuration here is an entry point to be used by security intercepts -->
        <http use-expressions="true"  auto-config="false">

        <session-management session-fixation-protection="none"/>

        <remember-me  token-validity-seconds="1209600"/>

        <!-- Exclude the login page from the security check -->
        <intercept-url pattern="/faces/login.xhtml" access="permitAll"/>

        <!-- All pages requires authentication (not anonymous user) -->
        <intercept-url pattern="/faces/**" access="isAuthenticated()" />

        <intercept-url pattern="/faces/javax.faces.resource/**" filters="none" />
        <intercept-url pattern="/faces/xmlhttp/**" filters="none" />
        <intercept-url pattern="/faces/resources/**" filters="none" />
        <intercept-url pattern="/faces/j_spring_security_check/**" filters="none" />
        <intercept-url pattern="/scripts/**" filters="none" />
        <intercept-url pattern="/images/**" filters="none" />
        <intercept-url pattern="/css/**" filters="none" />  

        <!-- Returns true if the user is not anonymous -->


        <access-denied-handler error-page="/error"/>

        <form-login default-target-url="/users"  
        always-use-default-target="true"            
            login-processing-url="/j_spring_security_check"         
            login-page="/faces/login.xhtml"
            authentication-failure-url="/faces/login.xhtml?login_error=1"                                                               
        />

        <logout logout-url="/logout" logout-success-url="/login" />     
    </http>

    <authentication-manager alias="authenticationManager">          
    <authentication-provider user-service-ref="userDetailsServiceImpl">
    </authentication-provider>
    </authentication-manager>


    </beans:beans>

3- UserDetailsService:

@Service("userDetailsServiceImpl")
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private UserDao userDao;

    @Override
    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException, DataAccessException {
        System.out.println("########## LOADING USER ##################");
        User user = userDao.findUserByEmail(username);
        return new org.springframework.security.core.userdetails.User(
                user.getEmail(), user.getPassword(), true, true, true, true,
                setUserAuthorities(user.getAuthorities()));
    }

    public Collection<GrantedAuthority> setUserAuthorities(List<Authority> auths) {

        List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
        for (Authority auth : auths)
            grantedAuthorities.add(new GrantedAuthorityImpl(auth.getName()));
        return grantedAuthorities;
    }
}

Answer 1

You remember that I told that spring security adds a lot of filters? One of that filters is responsible to check that a request for j_spring_security_check is forwared to the Authentication Manager.

But you don't have that filter.

If there is no reason against this, then enable the auto config:

<http use-expressions="true"  auto-config="true">

and add an interceptor for /j_spring_security_check

<intercept-url pattern="/j_spring_security_check" access="permitAll"/>