Spring Security: Authentication method not supported: GET

Question

I don't know where I am missing something, would really appreciate your help on that one! I get the "Authentication method not supported: GET" message after my login try.

Here is my security-Context.xml:

 <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
              http://www.springframework.org/schema/security 
              http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <!-- <security:http auto-config="true" access-decision-manager-ref="accessDecisionManager"> -->
    <security:http auto-config="true">
        <security:intercept-url pattern="/login/login.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/login/doLogin.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/lib/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <security:form-login login-page="/login/login.do" authentication-failure-url="/login/login.do?login_error=true" default-target-url="/test/showTest.do"/>
        <security:logout logout-success-url="/login/login.do" invalidate-session="true" />
        <security:remember-me key="rememberMe"/>
    </security:http>    


    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource" 
            users-by-username-query="select EMAIL as email, PASSWORD as password, from ams.user where EMAIL=?"
            authorities-by-username-query="
                select distinct user.EMAIL as email, permission.NAME as authority 
                from ams.user, ams.user_role, ams.role, ams.role_permission, ams.permission
                where user.ID=user_role.USER_ID AND user_role.ROLE_ID=role_permission.ROLE_ID AND role_permission.PERMISSION_ID=permission.ID AND user.EMAIL=?"/>
            <security:password-encoder ref="passwordEncoder" />
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <constructor-arg value="256" />
    </bean>
</beans>

And my LoginController:

@Controller
public class LoginController {

    @RequestMapping(method = RequestMethod.GET)
    public ModelAndView showLogin() {
        ModelAndView mav = new ModelAndView("login/login");

        return mav;
    }

    @RequestMapping(method = RequestMethod.POST)
    public ModelAndView doLogin(@RequestParam("email") String email, 
            @RequestParam("password") String password,
            @RequestParam("remember_me") boolean rememberMe,
            HttpServletRequest request, HttpServletResponse response) {

        ModelAndView mav = new ModelAndView();

        mav.setViewName("redirect:/j_spring_security_check?j_email=" + email + "&j_password=" + password + "&_spring_security_remember_me=" + rememberMe);

        return mav;
    }
}

If you need anything more tell me please

Answer 1

I guess you try to send a HTTP GET request to the login URL with the user name and password as query parameters. As this is inherently insecure (could be bookmarked for example), it's not allowed. You should send a HTTP POST instead.