Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

HTTP Status 405 with Spring Security with Custom Form Login Using JavaConfig

DZone's Guide to

HTTP Status 405 with Spring Security with Custom Form Login Using JavaConfig

Want a custom login form created with JavaConfig? Here's a neat tutorial, which breaks down initial config, additions, and shows you why.

· Performance Zone
Free Resource

Evolve your approach to Application Performance Monitoring by adopting five best practices that are outlined and explored in this e-book, brought to you in partnership with BMC.

I have been working on a 100% JavaConfig version of a custom form authentication Spring MVC application. Most examples use XML configuration, but I know I wanted to implement a solution without any XML.

I have investigated several examples, but here is my initial configuration that does work:

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/", "/index").permitAll()
            .antMatchers("/customers/*").access("hasRole('USER')")
            .antMatchers("/managers/*").access("hasRole('ADMIN') and hasRole('DBA')")
            .and().formLogin().defaultSuccessUrl("/")
            .and().anonymous()
            .and().rememberMe()
            .and().logout().logoutSuccessUrl("/")
            .and().csrf()
            .and().exceptionHandling().accessDeniedPage("/Access_Denied.html");

        http.sessionManagement()
                .maximumSessions(1)
                .expiredUrl("/expired.html")
                .sessionRegistry(sessionRegistry());
    }

I wanted to use a custom login form, so I added this configuration:

Then I added this login.jsp

<form name='f' action="<c:url value='/j_spring_security_check' />" method='POST'>
    <table>
        <tr>
            <td>User:</td>
            <td><input type='text' name='j_username' value=''>
            </td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type='password' name='j_password' />
            </td>
        </tr>
        <tr>
            <td colspan='2'><input name="submit" type="submit"
                                   value="submit" />
            </td>
        </tr>
        <tr>
            <td colspan='2'><input name="reset" type="reset" />
            </td>
        </tr>
    </table>
    <input type="hidden"
           name="${_csrf.parameterName}"
           value="${_csrf.token}"/>
</form>

Now I did test with both /login and /j_security_check as the action.

When using /login, I get an “HTTP 404 Page Not Found” exception, and when I use /j_security_check action, I get a “HTTP Status 405 – Request method ‘POST’ not supported” exception.

I ran across several incidents where using the XML configuration leads to the same error:

http://stackoverflow.com/questions/30882762/spring-security-4-0-1-http-status-405-request-method-post-not-supported

But this did not help my specific error.

Here is my updated configuration that finally worked:

.and().formLogin()
            .loginPage("/login.jsp")
            .loginProcessingUrl("/j_spring_security_check")
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .permitAll()

I can only surmise, that with the JavaConfig for Spring Security, there are several configuration attributes that are set for the default .formLogin(), and unless you explicitly set these attributes, the login.jsp will not execute the correct action.

Learn tips and best practices for optimizing your capacity management strategy with the Market Guide for Capacity Management, brought to you in partnership with BMC.

Topics:
security ,authentication ,authorization

Published at DZone with permission of Mick Knutson, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}