HDIV: Spring MVC application getting "Unauthorized access" error

Question

Just implemented the configuration samples from the HDIV spring MVC show case project into my web application and configured the start links, etc and I can see the HDIV state parameter in the URL.

I have configured the index.jsp to redirect to the welcome.html page in the same way mentioned in the show case project and it works.

Problem is if I refresh the welcome.html page I get an error "Unauthorized access" or if I access any of the links from the welcome.html page 2nd time it throws this same error. From the logs I can see -

015-05-31 12:53:02,131 org.hdiv.logs.Logger - INVALID_COOKIE;/welcome.htm;cookie:AMCV_5C21123F5245AF0C0A490D45%40AdobeOrg;-2017484664%7CMCMID%7C04001757167802827442558962327640098514%7CMCAAMLH-1433633264%7C9%7CMCAAMB-1433633264%7CNRX38WO0n5BH8Th-nqAG_A%7CMCAID%7CNONE;;0:0:0:0:0:0:0:1;0:0:0:0:0:0:0:1;anonymous;

I have to open the page again in an incognito mode of browser to access it which would again throw the error on 2nd attempt or refresh of browser.

My sample configurations -

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:hdiv="http://www.hdiv.org/schema/hdiv"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.hdiv.org/schema/hdiv http://www.hdiv.org/schema/hdiv/hdiv.xsd">

    <hdiv:config excludedExtensions="css,png,gif,jpeg,jpg,js,ico">
        <hdiv:sessionExpired loginPage="/login.htm" homePage="/"/>
        <!--  <hdiv:startPages>/attacks/.*</hdiv:startPages> -->


        <hdiv:startPages method="get">/,/login.htm,/logout.htm</hdiv:startPages>
        <hdiv:startPages method="post">/j_spring_security_check</hdiv:startPages>
        <hdiv:startParameters>_csrf</hdiv:startParameters>
    </hdiv:config>

    <!-- Accepted pattern within the application for all editable parameters (generated from textbox and textarea) -->
    <hdiv:validation id="safeText">
        <hdiv:acceptedPattern><![CDATA[^[a-zA-Z0-9@.\-_]*$]]></hdiv:acceptedPattern>
    </hdiv:validation>

    <!-- Finally, it's necessary to define editable data validation list for 
        the application -->
    <hdiv:editableValidations>
        <!--  <hdiv:validationRule url="/secure/.*"></hdiv:validationRule> -->
            <!-- Finally, it's necessary to define editable data validation list for 
        the application -->

        <hdiv:validationRule url="/oe/.*"></hdiv:validationRule>

        <hdiv:validationRule url="/safetext/.*" enableDefaults="false">safeText</hdiv:validationRule>
    </hdiv:editableValidations>

</beans>

Answer 1

It seems that you are generating a cookie in the client side. As a result, HDIV does not notice about it. I think you are using Adobe® Marketing Cloud and it is generating that cookie.

Try disabling integrity in the cookies:

    <hdiv:config avoidCookiesIntegrity="true">

I hope it helps.