Migration to Spring Boot 2 from 1.5.7 - Request method POST not supported - csrf already disabled

Question

We've migrated our software from spring boot 1.5.7 to spring boot 2. We're using JSF by including joinfaces-parent in our pom.xml.

At the startup, all works perfectly, but login call does not work:

Request method 'POST' not supported

It is probably a Spring Security issue? CSRF is already disabled.

Here's our SecurityConfig file:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity http) {
        try {

            http.csrf().disable().authorizeRequests()
                    .antMatchers("/javax.faces.resource/**", Page.LOGIN.getUrlForSecurityContext())
                    .permitAll()
                    .and()

                    ........

                    // *** login configuration
                    .formLogin()
                    .loginPage(Page.LOGIN.getUrlForSecurityContext()).permitAll()
                    .failureUrl(Page.LOGIN.getUrlForSecurityContext() + "?error=true")
                    .usernameParameter("username")
                    .passwordParameter("password")
                    .successHandler(authenticationSuccessHandler)
                    .and()

             ...........

            // @formatter:on
        } catch (Exception ex) {
            throw new RuntimeException(ex);
        }
    }

    .......

}

The login request does not arrives to our backend. I found out that this error is generated from the dispatcher.forward function, called from xhtml. Here the function:

public void login() throws ServletException, IOException {
    final ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();

    final RequestDispatcher dispatcher = ((ServletRequest) context.getRequest()).getRequestDispatcher("/login");

    dispatcher.forward((ServletRequest) context.getRequest(), (ServletResponse) context.getResponse());

    FacesContext.getCurrentInstance().responseComplete();
}

Here more logs when the error message happens:

[io.undertow.servlet] (default task-3) Initializing Spring FrameworkServlet 'dispatcherServlet'
16:02:20,926 INFO  [org.springframework.web.servlet.DispatcherServlet] (default task-3) FrameworkServlet 'dispatcherServlet': initialization started
16:02:20,938 INFO  [org.springframework.web.servlet.DispatcherServlet] (default task-3) FrameworkServlet 'dispatcherServlet': initialization completed in 12 ms
16:02:20,949 WARN  [org.springframework.web.servlet.PageNotFound] (default task-3) Request method 'POST' not supported
16:02:20,973 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] (default task-3) Cannot forward to error page for request [/login] as the response has already been committed. As a result, the response may have the wrong status code. If your application is running on WebSphere Application Server you may be able to resolve this problem by setting com.ibm.ws.webcontainer.invokeFlushAfterService to false

Thanks in advice!

Answer 1

Spring Security configuration looks ok for me. There is something wrong with your login controller. I suppose your login method is called in response to POST request from the client. Then it tries to forward this POST to render login page and finally throws an exception. Obviously it should be GET request instead of POST.