Spring Security: Authentication method not supported: GET

Question

I don't know where I am missing something, would really appreciate your help on that one! I get the "Authentication method not supported: GET" message after my login try.

Here is my security-Context.xml:

 <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
              http://www.springframework.org/schema/security 
              http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <!-- <security:http auto-config="true" access-decision-manager-ref="accessDecisionManager"> -->
    <security:http auto-config="true">
        <security:intercept-url pattern="/login/login.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/login/doLogin.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/lib/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <security:form-login login-page="/login/login.do" authentication-failure-url="/login/login.do?login_error=true" default-target-url="/test/showTest.do"/>
        <security:logout logout-success-url="/login/login.do" invalidate-session="true" />
        <security:remember-me key="rememberMe"/>
    </security:http>    


    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource" 
            users-by-username-query="select EMAIL as email, PASSWORD as password, from ams.user where EMAIL=?"
            authorities-by-username-query="
                select distinct user.EMAIL as email, permission.NAME as authority 
                from ams.user, ams.user_role, ams.role, ams.role_permission, ams.permission
                where user.ID=user_role.USER_ID AND user_role.ROLE_ID=role_permission.ROLE_ID AND role_permission.PERMISSION_ID=permission.ID AND user.EMAIL=?"/>
            <security:password-encoder ref="passwordEncoder" />
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <constructor-arg value="256" />
    </bean>
</beans>

And my LoginController:

@Controller
public class LoginController {

    @RequestMapping(method = RequestMethod.GET)
    public ModelAndView showLogin() {
        ModelAndView mav = new ModelAndView("login/login");

        return mav;
    }

    @RequestMapping(method = RequestMethod.POST)
    public ModelAndView doLogin(@RequestParam("email") String email, 
            @RequestParam("password") String password,
            @RequestParam("remember_me") boolean rememberMe,
            HttpServletRequest request, HttpServletResponse response) {

        ModelAndView mav = new ModelAndView();

        mav.setViewName("redirect:/j_spring_security_check?j_email=" + email + "&j_password=" + password + "&_spring_security_remember_me=" + rememberMe);

        return mav;
    }
}

If you need anything more tell me please

score 4 · Accepted Answer · answered Feb 19 '13 at 20:04

4

I guess you try to send a HTTP GET request to the login URL with the user name and password as query parameters. As this is inherently insecure (could be bookmarked for example), it's not allowed. You should send a HTTP POST instead.

answered Feb 19 '13 at 20:04

zagyi

17,223
4
51
48

Oh, you are mixing up things here a little bit. Your `doLogin()` method is **handling** a POST request and sends a redirect as response. Then the client (browser) sends a GET request to the URL specified in the redirect message (which is a hand crafted login url). – zagyi Feb 19 '13 at 20:11
Hmm okay then, how or rather where do I have to tell the security-Context that it should be a post instead – James Carter Feb 19 '13 at 20:14
1

Don't write a controller method for the login. Create a jsp or a simple html that will be your login page which contains a `form` with the required fields (email/pwd) and posts it to the login URL. Smth like: `
`
– zagyi Feb 19 '13 at 20:19
Here you see a random tutorial: http://krams915.blogspot.de/2011/01/spring-security-mvc-using-embedded-ldap.html Don't care about the LDAP related stuff, just download the code (links at the end of the article). It should help you get started. – zagyi Feb 19 '13 at 20:26

Spring Security: Authentication method not supported: GET

1 Answers1