Spring Security - Dispatch to /j_spring_security_check
Solution 1
/j_spring_security_check
URL is mapped to UsernamePasswordAuthenticationFilter
to serve the requests.
In UsernamePasswordAuthenticationFilter
, by default, the postOnly
is set to true
.
The following change in spring-security.xml
which sets postOnly
to false
worked.
<bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:postOnly="false" />
Also, in web.xml
, the following configuration is required:
<filter-mapping> <filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
Solution 2
You could bypass the check by using a request wrapper which returns "POST" instead of "GET" for getMethod
.
However, the check is there for a reason. It is generally considered bad practice to send credentials as URL parameters. Even if you are using an encrypted parameter, it is still technically equivalent to sending unencrypted authentication credentials since anyone who steals it can use it to authenticate.
Ayaz Pasha
Updated on September 11, 2020Comments
-
Ayaz Pasha over 3 years
I have spring security in place and login via login.jsp works perfectly fine.
Now, I have to automatically get the user logged in based on the URL (similar to Single Sign On). I basically have a path parameter in the URL which is basically an encrypted code, I process this code to do an auto login.
I am modifying my LoginController to check if I have a valid path param using which I get my username & password, using this username & password I am doing
"forward:/j_spring_security_check?j_username="+username+"&j_password="+password
This directs me to login.jsp with following error
Your login attempt was not successful, try again. Caused : Authentication method not supported: GET
I have also tried with
"redirect:/j_spring_security_check?j_username="+username+"&j_password="+password
but with no help.Call to
/j_spring_security_check
is aPOST
butforward:
&redirect:
is doing aGET
, so how can I dispatch to/j_spring_security_check
asPOST
from my LoginController?Thanks
-
Ayaz Pasha about 11 yearsThanks for your valuable comments. Right now I can think of no other alternative apart from directly invoking
/j_spring_security_check
with URL params, if you have one please do share. -
Shaun the Sheep about 11 yearsThe /j_spring_security_check isn't where the security problem lies. You could just as easily invoke the
AuthenticationManager
directly yourself rather than trying create a request to the form login filter (which is a bad idea, especially a redirect). However, sending the path parameter in the URL is probably not a good idea in the first place.