Results 1 to 5 of 5

Thread: POST method gets turned into GET method after secure redirect?

  1. Aug 23rd, 2012, 04:41 PM #1
    nesyarug
    nesyarug is offline Member
    Join Date
    Mar 2009
    Posts
    55

    Default POST method gets turned into GET method after secure redirect?

    Hi,

    I'm encountering a strange issue. The ultimate error is:HTTP Status 405 - Request method 'GET' not supported

    My site allows users to browse most parts anonymously over HTTP.

    Some pages require the user to authenticate. Most of these pages are also forced over HTTPS. Most use cases work fine, however in one specific situation the user does a POST to an URL that requires authentication and also forces HTTPS. This results in the error: Request method 'GET' not supported.

    From looking at the request headers I can see the following:

    POST http://localhost/app/test HTTP/1.1

    HTTP/1.0 302 Moved Temporarily

    GET https://localhost/app/test HTTP/1.1

    HTTP/1.1 302 Moved Temporarily

    GET https://localhost/sign-in HTTP/1.1

    HTTP/1.1 200 OK

    POST https://localhost/j_spring_security_check HTTP/1.1

    HTTP/1.1 302 Moved Temporarily

    GET https://localhost/app/test HTTP/1.1

    HTTP/1.1 405 Method Not Allowed

    Any thoughts why the secure redirect turns the POST into a GET?

    I have tested POSTing to the same URL without forcing HTTPS and that works okay.

    Many thanks,
    Nes
    Reply With Quote Reply With Quote
  2. Aug 24th, 2012, 10:44 AM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,834

    Default

    The request is saved to the HttpSession to replay after authenticating. Try tracking the JSESSIONID to see if it is changing as you may be running into a variant of the http/https issue discussed on the FAQ.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
  3. Sep 4th, 2012, 02:33 AM #3
    nesyarug
    nesyarug is offline Member
    Join Date
    Mar 2009
    Posts
    55

    Default

    Apologies for the late response.

    I've have tracked JSESSIONID as suggested, but it is not changing - not after the 302 and not after the 405.

    It is the 302 redirect (that redirects HTTP to HTTPS) that changes the method from POST to GET.

    Any further help greatly appreciated...

    Nes
    Reply With Quote Reply With Quote
  4. Sep 4th, 2012, 09:53 AM #4
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,834

    Default

    Try adding a debug point to HttpRequestCache and see what URLs it is called on.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
  5. Sep 5th, 2012, 11:50 AM #5
    nesyarug
    nesyarug is offline Member
    Join Date
    Mar 2009
    Posts
    55

    Default

    I now created a smaller test case where I'm already logged in. Then posting to an HTTPS secured URL. Same 405 error is thrown.

    The debug log says:

    Request: FilterInvocation: URL: /app/test; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]

    When you say add a debug point to HttpRequestCache, did you mean HttpSessionRequestCache (in package org.springframework.security.web.savedrequest)?

    Where exactly should I set the breakpoint?

    Thanks for your help so far!

    Nes
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules