Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

HTTP Status 405 with Spring Security with Custom Form Login Using JavaConfig

DZone's Guide to

HTTP Status 405 with Spring Security with Custom Form Login Using JavaConfig

Want a custom login form created with JavaConfig? Here's a neat tutorial, which breaks down initial config, additions, and shows you why.

· Performance Zone
Free Resource

I have been working on a 100% JavaConfig version of a custom form authentication Spring MVC application. Most examples use XML configuration, but I know I wanted to implement a solution without any XML.

I have investigated several examples, but here is my initial configuration that does work:

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/", "/index").permitAll()
            .antMatchers("/customers/*").access("hasRole('USER')")
            .antMatchers("/managers/*").access("hasRole('ADMIN') and hasRole('DBA')")
            .and().formLogin().defaultSuccessUrl("/")
            .and().anonymous()
            .and().rememberMe()
            .and().logout().logoutSuccessUrl("/")
            .and().csrf()
            .and().exceptionHandling().accessDeniedPage("/Access_Denied.html");

        http.sessionManagement()
                .maximumSessions(1)
                .expiredUrl("/expired.html")
                .sessionRegistry(sessionRegistry());
    }

I wanted to use a custom login form, so I added this configuration:

Then I added this login.jsp

<form name='f' action="<c:url value='/j_spring_security_check' />" method='POST'>
    <table>
        <tr>
            <td>User:</td>
            <td><input type='text' name='j_username' value=''>
            </td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type='password' name='j_password' />
            </td>
        </tr>
        <tr>
            <td colspan='2'><input name="submit" type="submit"
                                   value="submit" />
            </td>
        </tr>
        <tr>
            <td colspan='2'><input name="reset" type="reset" />
            </td>
        </tr>
    </table>
    <input type="hidden"
           name="${_csrf.parameterName}"
           value="${_csrf.token}"/>
</form>

Now I did test with both /login and /j_security_check as the action.

When using /login, I get an “HTTP 404 Page Not Found” exception, and when I use /j_security_check action, I get a “HTTP Status 405 – Request method ‘POST’ not supported” exception.

I ran across several incidents where using the XML configuration leads to the same error:

http://stackoverflow.com/questions/30882762/spring-security-4-0-1-http-status-405-request-method-post-not-supported

But this did not help my specific error.

Here is my updated configuration that finally worked:

.and().formLogin()
            .loginPage("/login.jsp")
            .loginProcessingUrl("/j_spring_security_check")
            .usernameParameter("j_username")
            .passwordParameter("j_password")
            .permitAll()

I can only surmise, that with the JavaConfig for Spring Security, there are several configuration attributes that are set for the default .formLogin(), and unless you explicitly set these attributes, the login.jsp will not execute the correct action.

Topics:
security ,authentication ,authorization

Published at DZone with permission of Mick Knutson, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}