表单身份验证使用错误的凭据会导致HTTP 405(不允许使用方法) [英] Form Authentication with wrong credentials leads to HTTP 405 (Method Not Allowed)
问题描述
我有一个应由表单身份验证保护的Spring Web应用程序(出于某些原因,我不能使用Spring Security ).
I have a Spring web application which should be protected by Form Authentication (I cannot use Spring Security for some reasons).
如果我请求受保护的资源,我将被重定向到登录表单并可以输入凭据.当凭据正确时,我将被重定向到请求者资源.一切都应该如此.
If I request a protected resource I will be redirected to the login form and can enter the credentials. When the credentials are correct, I will be redirected to the requestet resource. Everything like it should be.
但是,当我输入错误的凭据时,会收到一条HTTP 405
消息,而不是错误页面. 为什么?
But when I enter wrong credentials I get a HTTP 405
message, not the error page. Why?
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication</web-resource-name>
<url-pattern>/test/auth/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginerror.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>users</role-name>
</security-role>
</web-app>
login.html
<!DOCTYPE html>
<html>
<body>
<form method="post" action="j_security_check">
<table>
<tr>
<td colspan="2">Please type in your user name and password</td>
</tr>
<tr>
<td>Name:</td>
<td><input type="text" name="j_username" width="40"/></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="j_password" /></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Login" /></td>
</tr>
</table>
</form>
</body>
</html>
loginerror.html
<!DOCTYPE html>
<html>
<body>
error!
</body>
</html>
登录
WARN [http-nio-8080-exec-79] o.s.web.servlet.PageNotFound: Request method 'POST' not supported
控制器
@RestController
@RequestMapping("/test")
public class TestController {
private final static Logger LOG = LoggerFactory.getLogger(TestController.class);
@Autowired
private HttpServletRequest request;
@RequestMapping(value = "/test", method = RequestMethod.GET)
public String test() {
printAuth();
return "test";
}
@RequestMapping(value = "/auth/test", method = RequestMethod.GET)
public String testAuth() {
printAuth();
return "testAuth";
}
@RequestMapping(value = "/auth/test2", method = RequestMethod.GET)
public String testAuth2() {
printAuth();
return "testAuth2";
}
private void printAuth() {
Principal principal = request.getUserPrincipal();
LOG.debug("Request: " + request);
LOG.debug("Principal: " + principal);
LOG.debug("Principal name :" + principal.getName());
LOG.debug("User in Role 'users': " + request.isUserInRole("users"));
}
}
更新:
我用一个简单的"non Spring"应用程序尝试了相同的身份验证,并且工作正常.因此,我假设Spring servlet以某种方式捕获"了请求.有可能避免这种情况吗?
I tried the same authentication with a spimple "non Spring" application and it works fine. So I assume that the Spring servlet "catches" the request somehow. Is it possible to avoid that?
推荐答案
就像我在更新中假设的那样,Spring servlet负责了此问题.因此,我必须确保另一个servlet代替Spring servlet服务于登录页面.
Like I assumed in my update the Spring servlet is responsible for this problem. Therefore I had to make shure that an another servlet serves the login pages instead of the Spring servlet.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/WEB-INF/classes/static/login/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication</web-resource-name>
<url-pattern>/test/auth/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/WEB-INF/classes/static/login/login.html</form-login-page>
<form-error-page>/WEB-INF/classes/static/login/loginerror.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>users</role-name>
</security-role>
</web-app>
这篇关于表单身份验证使用错误的凭据会导致HTTP 405(不允许使用方法)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!