Spring Security 405

Question

I have the following configuration for my spring app:

@Configuration
@EnableWebSecurity
public class MultipleHttpSecurityConfig {

    @Autowired
    @Qualifier("customUserDetailsService")
    UserDetailsService userDetailsService;

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
        auth.authenticationProvider(authenticationProvider());
    }

    @Bean
    public PlaintextPasswordEncoder passwordEncoder() {
        return new PlaintextPasswordEncoder();
    }

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        authenticationProvider.setUserDetailsService(userDetailsService);
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        return authenticationProvider;
    }

    @Bean
    public AuthenticationTrustResolver getAuthenticationTrustResolver() {
        return new AuthenticationTrustResolverImpl();
    }

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        private static String REALM="MY_REALM";

        protected void configure(HttpSecurity http) throws Exception {

            http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/api/**").access("hasRole('ADMIN') or hasRole('SUPERADMIN')")
            .and().httpBasic().realmName(REALM).authenticationEntryPoint(getBasicAuthEntryPoint())
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }

        @Bean
        public CustomBasicAuthenticationEntryPoint getBasicAuthEntryPoint(){
            return new CustomBasicAuthenticationEntryPoint();
        }
    }

    @Configuration
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        PersistentTokenRepository tokenRepository;

        @Autowired
        @Qualifier("customUserDetailsService")
        UserDetailsService userDetailsService;

        @Override
        public void configure(WebSecurity web) throws Exception {
            web.ignoring().antMatchers("/resources/**");
        }

        @Bean
        public PersistentTokenBasedRememberMeServices getPersistentTokenBasedRememberMeServices() {
            PersistentTokenBasedRememberMeServices tokenBasedservice = new PersistentTokenBasedRememberMeServices(
                    "remember-me", userDetailsService, tokenRepository);
            return tokenBasedservice;
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests().antMatchers("/", "/index").access("hasRole('ADMIN') or hasRole('SUPERADMIN')")
                    .antMatchers("/categories", "/category/**").access("hasRole('ADMIN') or hasRole('SUPERADMIN')")
                    .antMatchers("/companies", "/company/**").access("hasRole('ADMIN') or hasRole('SUPERADMIN')")
                    .antMatchers("/locations", "/location/**").access("hasRole('ADMIN') or hasRole('SUPERADMIN')").and()
                    .formLogin().loginPage("/login").loginProcessingUrl("/login").usernameParameter("username")
                    .passwordParameter("password").and().rememberMe().rememberMeParameter("remember-me")
                    .tokenRepository(tokenRepository).tokenValiditySeconds(86400).and().csrf().and().exceptionHandling()
                    .accessDeniedPage("/Access_Denied");
        }
    }

}

At the api url's, I get the desire result. But at the Web Login I am getting the HTTP Status 405 - Request method 'POST' not supported. Any ideas?

Spring Framework is:4.3.7.RELEASE Spring Security: 4.2.2.RELEASE The degub is:

   2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/login'; against '/resources/**'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-04-11 19:30:12 DEBUG HstsHeaderWriter:130 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatch
er@9f37d03
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2017-04-11 19:30:12 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', GET]
2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:137 - Request 'POST /login' doesn't match 'GET /logout
2017-04-11 19:30:12 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', POST]
2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/login'; against '/logout'
2017-04-11 19:30:12 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', PUT]
2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:137 - Request 'POST /login' doesn't match 'PUT /logout
2017-04-11 19:30:12 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', DELETE]
2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:137 - Request 'POST /login' doesn't match 'DELETE /logout
2017-04-11 19:30:12 DEBUG OrRequestMatcher:72 - No matches found
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-04-11 19:30:12 DEBUG AnonymousAuthenticationFilter:100 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa90ed4:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; Session
Id: B6EBB4A5A07FDC44D8E19748CE6D5E5E; Granted Authorities: ROLE_ANONYMOUS'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/login'; against '/api/**'
2017-04-11 19:30:12 DEBUG FilterSecurityInterceptor:210 - Public object - authentication not attempted
2017-04-11 19:30:12 DEBUG FilterChainProxy:310 - /login reached end of additional filter chain; proceeding with original chain
2017-04-11 19:30:12 DEBUG DispatcherServlet:865 - DispatcherServlet with name 'dispatcher' processing POST request for [/HeliosCMS/login]
2017-04-11 19:30:12 DEBUG RequestMappingHandlerMapping:310 - Looking up handler method for path /login
2017-04-11 19:30:12 DEBUG ExceptionHandlerExceptionResolver:133 - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not sup
ported
2017-04-11 19:30:12 DEBUG ResponseStatusExceptionResolver:133 - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not suppo
rted
2017-04-11 19:30:12 DEBUG DefaultHandlerExceptionResolver:133 - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not suppo
rted
2017-04-11 19:30:12 WARN  PageNotFound:215 - Request method 'POST' not supported
2017-04-11 19:30:12 DEBUG DispatcherServlet:1044 - Null ModelAndView returned to DispatcherServlet with name 'dispatcher': assuming HandlerAdapter completed request handling
2017-04-11 19:30:12 DEBUG DispatcherServlet:1000 - Successfully completed request
2017-04-11 19:30:12 DEBUG ExceptionTranslationFilter:116 - Chain processed normally
2017-04-11 19:30:12 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed

I think you need to exclude '/login' url from filtering in the ApiWebSecurityConfigurationAdapter class — Jovin Thariyath, Apr 12 '17 at 06:55

score 1 · Accepted Answer · answered Apr 19 '17 at 18:14

1

Maybe this is a problem of mappings in the sense that the /login page is handled by the API handlers, so the POST never reaches the login controller.

Which is the mapping for the api handlers ? It should be /api/* and not / or /*.

If you subclass AbstractDispatcherServletInitializer for configuring the API module there should be something like:

       @Override
       protected String[] getServletMappings() {
        return new String[] { "/api/*" };
       }

If this is not the issue I anyway think, reading logs, that an handler is not found for /login, so you should investigate mappings. Maybe API mapping is strict enough but web mapping is not /. Hard to say without seeing the configuration.

Do you see the /login in GET ?

answered Apr 19 '17 at 18:14

Testo Testini

2,200
18
29

Yes, I can see the /login in GET. – KostasC Apr 20 '17 at 06:03
which configuration you need? – KostasC Apr 20 '17 at 16:12
The AbstractDispatcherServletInitializer subclass you use ? I thought the situation was similar to http://stackoverflow.com/a/42881032/1536382 because of two mappers api/web but you see the get... Like the other answer to this question I dont' see an handler called – Testo Testini Apr 20 '17 at 17:30
I will take a look and I will provide a feedback. – KostasC Apr 20 '17 at 17:55

score 0 · Answer 2 · answered Apr 19 '17 at 18:32

The ant matcher /login does not match any of the patterns in your configuration.

I would guess in with this config that a request to "/" directly might result in your login page.

Are you sure the /HeliosCMS/login URL you are trying to POST to is correct? Nothing else in your configuration mentions this application root, so based on your config I would expect the dispatcher to be trying to match the /login pattern, not /HeliosCMS/login.

2017-04-11 19:30:12 DEBUG DispatcherServlet:865 - DispatcherServlet with name 'dispatcher' processing POST request for [/HeliosCMS/login]

Spring Security 405

2 Answers2