Spring Security failing with URL Redirection

Printable View

Jul 23rd, 2012, 04:18 AM
robbobkirk

Spring Security failing with URL Redirection

I've stripped this back to the simplest security config :

In my security-context.xml file

Code:

<security:http auto-config="true"> <security:intercept-url pattern="/**" access="ROLE_USER" /> </security:http>

In my web.xml

Code:

<filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

In Apache do a rewrite in Apache so that http://localhost/myapp appears at http://localhost using this

Code:

# Remove double "myapp" in url RewriteRule ^/myapp/(.*) /$1 # Check to see if content can be served locally - rewrite back if not RewriteCond /dir/to/static/content -f RewriteRule ^/(.*) /myapp/$1 [PT] JkMount /myapp/* loadbalancer

However, logging in using the built in Spring Security I get this
Reason: Authentication method not supported: GET

This is with version 3.0.6 of Spring Security and the rewriting works fine as a standard Spring app without security.

Any help or advice as I've been struggling with this for ages.
Jul 23rd, 2012, 01:55 PM
Rob Winch

You must submit a POST in order for a user to login. What does your HTML look like? What does the HTTP request look like before and after Apache. In summary, you will get this error if Spring Security sees a GET submitted to the UsernamePasswordAuthenticationFilter.
Jul 25th, 2012, 02:51 AM
robbobkirk

Rob, thanks for your reply. Yes I was using Apache rewriting that translate a POST request into a GET request.

I was unable to get this working with Apache mod_jk and used Apache mod_proxy instead.
This is the solution I came up with :

In Apache

Code:

<Proxy> Order deny,allow Allow from all </Proxy> RewriteCond /dir/to/static/content/%{REQUEST_FILENAME} !-f RewriteRule ^/(.*) ajp://127.0.0.1:8009/myapp/$1 [P] ProxyPassReverse / http://myurl/myapp/ ProxyPassReverseCookiePath /myapp /

In Spring

Code:

<security:http auto-config="false" use-expressions="true" disable-url-rewriting="true"> <security:intercept-url pattern="/app/login" access="permitAll" /> <security:intercept-url pattern="/app/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" /> <security:form-login login-page="/app/login" authentication-failure-url="/app/login?f=1" default-target-url="/app/map"/> <security:logout logout-url="/app/logout"/> </security:http>