Announcement Announcement Module
Collapse
No announcement yet.
Spring Security failing with URL Redirection Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security failing with URL Redirection

    I've stripped this back to the simplest security config :

    In my security-context.xml file
    Code:
    <security:http auto-config="true">
    <security:intercept-url pattern="/**" access="ROLE_USER" />
    </security:http>
    In my web.xml
    Code:
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
     </filter-mapping>
    In Apache do a rewrite in Apache so that http://localhost/myapp appears at http://localhost using this

    Code:
    # Remove double "myapp" in url
    RewriteRule ^/myapp/(.*) /$1
    
    # Check to see if content can be served locally - rewrite back if not
    RewriteCond /dir/to/static/content -f
    RewriteRule ^/(.*) /myapp/$1 [PT]
    
    JkMount /myapp/* loadbalancer

    However, logging in using the built in Spring Security I get this
    Reason: Authentication method not supported: GET

    This is with version 3.0.6 of Spring Security and the rewriting works fine as a standard Spring app without security.

    Any help or advice as I've been struggling with this for ages.

  • #2
    You must submit a POST in order for a user to login. What does your HTML look like? What does the HTTP request look like before and after Apache. In summary, you will get this error if Spring Security sees a GET submitted to the UsernamePasswordAuthenticationFilter.

    Comment


    • #3
      Rob, thanks for your reply. Yes I was using Apache rewriting that translate a POST request into a GET request.

      I was unable to get this working with Apache mod_jk and used Apache mod_proxy instead.
      This is the solution I came up with :

      In Apache
      Code:
      <Proxy>
         Order deny,allow
         Allow from all
      </Proxy>
      
      RewriteCond /dir/to/static/content/%{REQUEST_FILENAME} !-f
      RewriteRule ^/(.*) ajp://127.0.0.1:8009/myapp/$1 [P]
      ProxyPassReverse /  http://myurl/myapp/
      ProxyPassReverseCookiePath /myapp /
      In Spring

      Code:
      <security:http auto-config="false" use-expressions="true" disable-url-rewriting="true">
         <security:intercept-url pattern="/app/login" access="permitAll" />
         <security:intercept-url pattern="/app/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
         <security:form-login
          login-page="/app/login"
          authentication-failure-url="/app/login?f=1"
          default-target-url="/app/map"/>
         <security:logout logout-url="/app/logout"/>
       </security:http>

      Comment

      Working...
      X