表单身份验证使用错误的凭据会导致HTTP 405(不允许使用方法) [英] Form Authentication with wrong credentials leads to HTTP 405 (Method Not Allowed)

问题描述

我有一个应由表单身份验证保护的Spring Web应用程序(出于某些原因，我不能使用Spring Security ).

I have a Spring web application which should be protected by Form Authentication (I cannot use Spring Security for some reasons).

如果我请求受保护的资源，我将被重定向到登录表单并可以输入凭据.当凭据正确时，我将被重定向到请求者资源.一切都应该如此.

If I request a protected resource I will be redirected to the login form and can enter the credentials. When the credentials are correct, I will be redirected to the requestet resource. Everything like it should be.

但是，当我输入错误的凭据时，会收到一条HTTP 405消息，而不是错误页面. 为什么?

But when I enter wrong credentials I get a HTTP 405 message, not the error page. Why?

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Authentication</web-resource-name>
            <url-pattern>/test/auth/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>users</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.html</form-login-page>
            <form-error-page>/loginerror.html</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <role-name>users</role-name>
    </security-role>

</web-app>

login.html

<!DOCTYPE html>
<html>
<body>

<form method="post" action="j_security_check">
    <table>
        <tr>
            <td colspan="2">Please type in your user name and password</td>
        </tr>
        <tr>
            <td>Name:</td>
            <td><input type="text" name="j_username" width="40"/></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type="password" name="j_password" /></td>
        </tr>
        <tr>
            <td colspan="2"><input type="submit" value="Login" /></td>
        </tr>
    </table>
</form>

</body>
</html>

loginerror.html

<!DOCTYPE html>
<html>
<body>

error!

</body>
</html>

登录

WARN [http-nio-8080-exec-79] o.s.web.servlet.PageNotFound: Request method 'POST' not supported

控制器

@RestController
@RequestMapping("/test")
public class TestController {

    private final static Logger LOG = LoggerFactory.getLogger(TestController.class);

    @Autowired
    private HttpServletRequest request;

    @RequestMapping(value = "/test", method = RequestMethod.GET)
    public String test() {
        printAuth();
        return "test";
    }

    @RequestMapping(value = "/auth/test", method = RequestMethod.GET)
    public String testAuth() {
        printAuth();
        return "testAuth";
    }

    @RequestMapping(value = "/auth/test2", method = RequestMethod.GET)
    public String testAuth2() {
        printAuth();
        return "testAuth2";
    }

    private void printAuth() {
        Principal principal = request.getUserPrincipal();
        LOG.debug("Request: " + request);
        LOG.debug("Principal: " + principal);
        LOG.debug("Principal name :" + principal.getName());
        LOG.debug("User in Role 'users': " + request.isUserInRole("users"));
    }

}

更新:

我用一个简单的"non Spring"应用程序尝试了相同的身份验证，并且工作正常.因此，我假设Spring servlet以某种方式捕获"了请求.有可能避免这种情况吗?

I tried the same authentication with a spimple "non Spring" application and it works fine. So I assume that the Spring servlet "catches" the request somehow. Is it possible to avoid that?

推荐答案

就像我在更新中假设的那样，Spring servlet负责了此问题.因此，我必须确保另一个servlet代替Spring servlet服务于登录页面.

Like I assumed in my update the Spring servlet is responsible for this problem. Therefore I had to make shure that an another servlet serves the login pages instead of the Spring servlet.

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">

    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/WEB-INF/classes/static/login/*</url-pattern>
    </servlet-mapping>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Authentication</web-resource-name>
            <url-pattern>/test/auth/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>users</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/WEB-INF/classes/static/login/login.html</form-login-page>
            <form-error-page>/WEB-INF/classes/static/login/loginerror.html</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <role-name>users</role-name>
    </security-role>

</web-app>

这篇关于表单身份验证使用错误的凭据会导致HTTP 405(不允许使用方法)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！