Back to HTTP from HTTPS causes AuthenticationServiceException

[kmansoor]

I am trying to use HTTP channel once the user has been logged in on HTTPS channel, this results in AuthenticationServiceException:

I have a login.jsp configured to use HTTPS and the rest of the URLs to use HTTP as follows:

Code:

<http auto-config="true" use-expressions="true">

		<intercept-url 
			pattern="/resources/**" 
			filters="none" />

		<intercept-url 
			pattern="/login*" 
			access="permitAll" 
			requires-channel="https" />

		<intercept-url 
			pattern="/logout*" 
			access="permitAll" />

		<intercept-url 
			pattern="/**"
			access="hasRole('ROLE_USER') or hasRole('ROLE_ADMINISTRATOR')" 
			requires-channel="http" />

		<port-mappings>
			<port-mapping http="8080" https="8443" />
		</port-mappings>

		<form-login 
			login-page="/login"
			authentication-success-handler-ref="customAuthenticationSuccessHandlerBean"
			authentication-failure-handler-ref="customAuthenticationFailureHandlerBean" />

		<logout 
			invalidate-session="true" 
			success-handler-ref="logoutHandlerBean" />

		<session-management 
			session-fixation-protection="migrateSession" >

			<concurrency-control 
				max-sessions="1"
				expired-url="/login_sessionexpired" />
		</session-management>
		
	</http>

The relevant lines from the log are:

Code:

2011-06-15 11:28:28,752 ["http-bio-8080"-exec-6] DEBUG org.springframework.security.web.FilterChainProxy  - /j_spring_security_check at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2011-06-15 11:28:28,752 ["http-bio-8080"-exec-6] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter  - Request is to process authentication
2011-06-15 11:28:28,752 ["http-bio-8080"-exec-6] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter  - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET
2011-06-15 11:28:28,752 ["http-bio-8080"-exec-6] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter  - Updated SecurityContextHolder to contain null Authentication
2011-06-15 11:28:28,752 ["http-bio-8080"-exec-6] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter  - Delegating to authentication failure handlerca.utor.med.dc.medlink.security.AuthenticationFailureHandlerImpl@46cfd22a

The curious thing is if i change the following from:

Code:

<intercept-url 
			pattern="/**"
			access="hasRole('ROLE_USER') or hasRole('ROLE_ADMINISTRATOR')" 
			requires-channel="http" />

To:

Code:

<intercept-url 
			pattern="/**"
			access="hasRole('ROLE_USER') or hasRole('ROLE_ADMINISTRATOR')" 
			requires-channel="any" />

(please note the "any" in the requires-channel from "http")

It starts to work fine, except that the whole application now works on HTTPS. Is there anything wrong with my setup? any pointers will be highly appreciated.

Thanks.

[Luke Taylor]

The problem is that you are requiring HTTP for the submission of the login form. So the login form is loaded under HTTPS, but when you submit it the request is redirected and submitted as a GET (which isn't allowed). The sequence should be obvious if you monitor the log and use a browser plugin such as HttpFox or Firebug.

Provided a session is created in HTTP, it will work as you intend if you also require HTTPS for the /j_security_check URL.

Not that to be properly secure you need to start in HTTPS and remain in it throughout your interaction with the application.

[kmansoor]

Luke- thanks a lot for replying (as always).

I'll take your advice and not downgrade to HTTP after authentication.

Don't remember where, but I think it was a prestigious author who suggested to not use HTTPS for insensitive data as it will considerably slow things down. So the pattern would be to use HTTPS for login and any other sensitive information, HTTP for everything else.

[shahed100]

But is there a way to go from HTTPS --> HTTP if that is what I am really trying to achieve ?

Is there a way to change the login page to post HTTPS and still maintain the session ?

[Rob Winch]

You must establish the HTTP Session using HTTP (i.e. before the HTTPS request) in order for that to work. However, as Luke mentions this is NOT secure and is NOT recommended. If you don't believe me Google "Firesheep".