I have a Spring web application which should be protected by Form Authentication (I cannot use Spring Security for some reasons).
If I request a protected resource I will be redirected to the login form and can enter the credentials. When the credentials are correct, I will be redirected to the requestet resource. Everything like it should be.
But when I enter wrong credentials I get a HTTP 405 message, not the error page. Why?
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication</web-resource-name>
<url-pattern>/test/auth/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginerror.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>users</role-name>
</security-role>
</web-app>
login.html
<!DOCTYPE html>
<html>
<body>
<form method="post" action="j_security_check">
<table>
<tr>
<td colspan="2">Please type in your user name and password</td>
</tr>
<tr>
<td>Name:</td>
<td><input type="text" name="j_username" width="40"/></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="j_password" /></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Login" /></td>
</tr>
</table>
</form>
</body>
</html>
loginerror.html
<!DOCTYPE html>
<html>
<body>
error!
</body>
</html>
Log
WARN [http-nio-8080-exec-79] o.s.web.servlet.PageNotFound: Request method 'POST' not supported
Controller
@RestController
@RequestMapping("/test")
public class TestController {
private final static Logger LOG = LoggerFactory.getLogger(TestController.class);
@Autowired
private HttpServletRequest request;
@RequestMapping(value = "/test", method = RequestMethod.GET)
public String test() {
printAuth();
return "test";
}
@RequestMapping(value = "/auth/test", method = RequestMethod.GET)
public String testAuth() {
printAuth();
return "testAuth";
}
@RequestMapping(value = "/auth/test2", method = RequestMethod.GET)
public String testAuth2() {
printAuth();
return "testAuth2";
}
private void printAuth() {
Principal principal = request.getUserPrincipal();
LOG.debug("Request: " + request);
LOG.debug("Principal: " + principal);
LOG.debug("Principal name :" + principal.getName());
LOG.debug("User in Role 'users': " + request.isUserInRole("users"));
}
}
Update:
I tried the same authentication with a spimple "non Spring" application and it works fine. So I assume that the Spring servlet "catches" the request somehow. Is it possible to avoid that?
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://i.stack.imgur.com/69C8M.png', '推荐 疯言疯语 的文章《Form Authentication with wrong credentials leads t》','https://www.manongdao.com/article-1521980.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}