CODEWITHSUNDEEP
javaspringrestspring-security
akafazov
akafazov

Reputation: 465

405 Method Not Allowed for HTTP POST in Spring 3.1

I have Spring application with REST API using Spring-Security. The issue is that some POST functions sometimes work fine by returning 200 OK and then start giving me "405 Method Not Allowed" responses. This is very weird since after I do the Digest authentication the first couple of calls go fine (200 OK) and then the rest return 405.

Here is my configuration:

The controller

@Controller
@RequestMapping("/restapi")
public class RestApiController {

    private final static Logger logger = LoggerFactory.getLogger(ProviderApiController.class);

    private Settings settings;

    @RequestMapping(value = "/postmethod", method = RequestMethod.POST, consumes = MediaType.ALL_VALUE)
    @ResponseBody
    public String postmethod() {
        return "OK";
    }
}

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/application-context.xml</param-value>
    </context-param>
    <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>
    <servlet>
        <servlet-name>dispatcherServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/web-context.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>dispatcherServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <session-config>
        <session-timeout>10</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
    </session-config>

    <error-page>
        <error-code>401</error-code>
        <location>/error/401</location>
    </error-page>

    <error-page>
        <error-code>404</error-code>
        <location>/error/404</location>
    </error-page>

    <error-page>
        <error-code>500</error-code>
        <location>/error/500</location>
    </error-page>
</web-app>

web-context.xml

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
                           http://www.springframework.org/schema/aop  http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">

    <mvc:annotation-driven/>
    <context:annotation-config/>
    <context:component-scan base-package="com.rest.ws"/>

    <!-- Enabling @Secured annotation to control access to the endpoints -->
    <security:global-method-security secured-annotations="enabled"/>
    <bean id="logginAspect" class="com.rest.aspect.LoggingAspect"/>

    <aop:aspectj-autoproxy proxy-target-class="true">
        <aop:include name="logginAspect" />
    </aop:aspectj-autoproxy>

    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/WEB-INF/error/" />
        <property name="suffix" value=".jsp" />
    </bean>

</beans>

application-context.xml

<context:component-scan base-package="com.rest">
    <context:exclude-filter type="annotation" expression="org.springframework.stereotype.Controller"/>
</context:component-scan>

<!-- Define entry point with no authentication -->
<security:http pattern="/restapi/secureFunc" security="none" />

<security:http entry-point-ref="digestEntryPoint">
    <security:custom-filter ref="digestFilter" before="BASIC_AUTH_FILTER"/>
    <security:http-basic />
    <!-- Restricts anonymous access to all the pages -->
    <security:intercept-url pattern="/restapi/**" access="ROLE_PROVIDER_TMPL" />
</security:http>

<security:authentication-manager>
    <security:authentication-provider ref="daoAuthenticationProvider"/>
</security:authentication-manager>

The issue first appeared when I added the custom /error pages and changed url-pattern in the dispatcherServlet in web.xml from /* to /.

The controller for the error pages:

@Controller
@RequestMapping("/error")
public class CustomErrorMappingController {

    @RequestMapping(value = "/404", method = RequestMethod.GET)
    public String pageNotFound(HttpServletRequest request, HttpServletResponse response, Model model) {
        /*
         * you can use the model,request and response object to customize the response
         */
        return "pageNotFoundError";
    }

    @RequestMapping(value = "/500", method = RequestMethod.GET)
    public String internalServerError(HttpServletRequest request, HttpServletResponse response, Model model) {
        return "internalServerError";
    }

    @RequestMapping(value = "/401", method = RequestMethod.GET)
    public String unauthorized(HttpServletRequest request, HttpServletResponse response, Model model) {
        logger.debug("--- 401 Unauthorized");
        return "unauthorizedError";
    }

    @RequestMapping(value = "/unauthorizedError.jsp", method = RequestMethod.GET)
    public String unauthorizedError() {
        return "Unauthorized error custom.";
    }

}

The error pages are JSPs in directory /error named internalServerError.jsp and so on.

Any suggestions are very welcome.

Upvotes: 1

Views: 5357

Answers (1)

Pujan
Pujan

Reputation: 3254

I have encountered similar problem and solve by inserting following code before you submit form or send HTTP Post:

var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
  xhr.setRequestHeader(header, token);
});

Upvotes: 1

Related Questions