Back to HTTP from HTTPS causes AuthenticationServiceException

[kmansoor]

I am trying to use HTTP channel once the user has been logged in on HTTPS channel, this results in AuthenticationServiceException:

I have a login.jsp configured to use HTTPS and the rest of the URLs to use HTTP as follows:

Code:

<http auto-config="true" use-expressions="true">

		<intercept-url 
			pattern="/resources/**" 
			filters="none" />

		<intercept-url 
			pattern="/login*" 
			access="permitAll" 
			requires-channel="https" />

		<intercept-url 
			pattern="/logout*" 
			access="permitAll" />

		<intercept-url 
			pattern="/**"
			access="hasRole('ROLE_USER') or hasRole('ROLE_ADMINISTRATOR')" 
			requires-channel="http" />

		<port-mappings>
			<port-mapping http="8080" https="8443" />
		</port-mappings>

		<form-login 
			login-page="/login"
			authentication-success-handler-ref="customAuthenticationSuccessHandlerBean"
			authentication-failure-handler-ref="customAuthenticationFailureHandlerBean" />

		<logout 
			invalidate-session="true" 
			success-handler-ref="logoutHandlerBean" />

		<session-management 
			session-fixation-protection="migrateSession" >

			<concurrency-control 
				max-sessions="1"
				expired-url="/login_sessionexpired" />
		</session-management>
		
	</http>

The relevant lines from the log are:

Code:

2011-06-15 11:28:28,752 ["http-bio-8080"-exec-6] DEBUG org.springframework.security.web.FilterChainProxy  - /j_spring_security_check at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2011-06-15 11:28:28,752 ["http-bio-8080"-exec-6] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter  - Request is to process authentication
2011-06-15 11:28:28,752 ["http-bio-8080"-exec-6] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter  - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Authentication method not supported: GET
2011-06-15 11:28:28,752 ["http-bio-8080"-exec-6] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter  - Updated SecurityContextHolder to contain null Authentication
2011-06-15 11:28:28,752 ["http-bio-8080"-exec-6] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter  - Delegating to authentication failure handlerca.utor.med.dc.medlink.security.AuthenticationFailureHandlerImpl@46cfd22a

The curious thing is if i change the following from:

Code:

<intercept-url 
			pattern="/**"
			access="hasRole('ROLE_USER') or hasRole('ROLE_ADMINISTRATOR')" 
			requires-channel="http" />

To:

Code:

<intercept-url 
			pattern="/**"
			access="hasRole('ROLE_USER') or hasRole('ROLE_ADMINISTRATOR')" 
			requires-channel="any" />

(please note the "any" in the requires-channel from "http")

It starts to work fine, except that the whole application now works on HTTPS. Is there anything wrong with my setup? any pointers will be highly appreciated.

Thanks.