Spring Security - Dispatch to /j_spring_security_check

java spring servlets post spring-security
36,129

Solution 1

/j_spring_security_check URL is mapped to UsernamePasswordAuthenticationFilter to serve the requests.

In UsernamePasswordAuthenticationFilter, by default, the postOnly is set to true.

The following change in spring-security.xml which sets postOnly to false worked. 

<bean id="authenticationFilter" 
      class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
      p:postOnly="false" />

Also, in web.xml, the following configuration is required:

<filter-mapping> <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>

Solution 2

You could bypass the check by using a request wrapper which returns "POST" instead of "GET" for getMethod.

However, the check is there for a reason. It is generally considered bad practice to send credentials as URL parameters. Even if you are using an encrypted parameter, it is still technically equivalent to sending unencrypted authentication credentials since anyone who steals it can use it to authenticate.

Share:
36,129
Ayaz Pasha
Author by

Ayaz Pasha

Updated on September 11, 2020

Comments

  • Ayaz Pasha
    Ayaz Pasha over 3 years

    I have spring security in place and login via login.jsp works perfectly fine.

    Now, I have to automatically get the user logged in based on the URL (similar to Single Sign On). I basically have a path parameter in the URL which is basically an encrypted code, I process this code to do an auto login.

    I am modifying my LoginController to check if I have a valid path param using which I get my username & password, using this username & password I am doing "forward:/j_spring_security_check?j_username="+username+"&j_password="+password

    This directs me to login.jsp with following error Your login attempt was not successful, try again. Caused : Authentication method not supported: GET

    I have also tried with "redirect:/j_spring_security_check?j_username="+username+"&j_password="+password but with no help.

    Call to /j_spring_security_check is a POST but forward: & redirect: is doing a GET, so how can I dispatch to /j_spring_security_check as POST from my LoginController?

    Thanks

  • Ayaz Pasha
    Ayaz Pasha about 11 years
    Thanks for your valuable comments. Right now I can think of no other alternative apart from directly invoking /j_spring_security_check with URL params, if you have one please do share.
  • Shaun the Sheep
    Shaun the Sheep about 11 years
    The /j_spring_security_check isn't where the security problem lies. You could just as easily invoke the AuthenticationManager directly yourself rather than trying create a request to the form login filter (which is a bad idea, especially a redirect). However, sending the path parameter in the URL is probably not a good idea in the first place.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Detect session timeout in Spring 3/Spring Security 2.0.5
Spring Security get user info in rest service, for authenticated and not authenticated users
Spring security authrorize based on input parameter criteria
How to enable CORS at Spring Security level in Spring boot
Could not autowire. No beans 'here name' type found
Integrating Spring Security with SiteMinder
HTTP Status 403 - Expected CSRF token not found. Has your session expired?
spring security get user id from DB
Spring Security Oauth2: Flow to Handling Expired AccessToken
Create a worker thread and run from a servlet or Spring controller