405: Method Not Allowed after update to Spring Boot 1.3.0

I have setup an Authorization- and Resourceserver which both running within the same application. The setup is running fine with spring boot 1.2.6.RELEASE and spring security oauth2 2.0.7.RELEASE. After an update to spring boot 1.3.0.RELEASE (no matter if spring security oauth2 2.0.7.RELEASE or 2.0.8.RELEASE) the /login endpoint for POST requests is broken. I got the response 405 "Method Not Allowed".

I spent over a day without success. I also setup an additional, straightforward authorization- and resourceserver which both are running within the same application. However this lightweight setup have the same issue. As soon as I enable the resource server, the login endpoint no longer works.

Below the config snippets form my origin server.

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    // ... some code

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .csrf()
                .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize"))
                .disable()
                .logout()
                .logoutUrl(logoutUrl)
                .logoutSuccessHandler(logoutSuccessHandler)
                .invalidateHttpSession(true)
                .and()
                .formLogin()
                .permitAll()
                .loginProcessingUrl(loginProcessingUrl)
                .failureUrl(loginAuthenticationFailureUrl)
                .loginPage(loginPage);
    }

}

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    // ... some code

    private static final String RESOURCE_SERVER_MAPPING_REGEX = "^(?!(\\/?login|\\/?logout|\\/?oauth)).*$";

    // ...some code

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http
            // Configure the endpoints wherefore the resource server is responsible or rather should bound to.
            .requestMatchers().regexMatchers(RESOURCE_SERVER_MAPPING_REGEX)
            .and()
            .authorizeRequests().anyRequest().permitAll()
            .and()
            .headers().frameOptions().disable();
    }
}

Answers


Solution

It looks like that I am faced with the issue mentioned in @EnableResourceServer creates a FilterChain that matches possible unwanted endpoints with Spring Security 4.0.3 Spring Security is a dependency of spring-boot-starter-security. Due to the update of the spring-boot-starter-parent I switched from Spring Security 3.2.8 to 4.0.3. A further interesting comment regarding this issue can be found here.

I changed the ResourceServer configuration like the code snippets below which solve the problem.

It would be great to replace the RegexRequestMatcher definition by using a negation of already existing code to match the login and logout form or Matchers like the spring NotOAuthRequestMatcher which is currently a private inner class of the ResourceServerConfiguration. Please do not hesitate to post suggestion. ;-)

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    // ... some code

    private static final String RESOURCE_SERVER_MAPPING_REGEX = "^(?!(\\/?login|\\/?logout|\\/?oauth)).*$";

    // ...some code

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http.requestMatcher(
                new AndRequestMatcher(
                        new RegexRequestMatcher(RESOURCE_SERVER_MAPPING_REGEX, null)
                )
        ).authorizeRequests().anyRequest().permitAll()
        // ...some code
    }

}

This should pretty straightforward.

POSTs and PUT requests would not be allowed if CSRF is enabled,and spring boot enables those by default.

Just add this to your ResourceServerConfig configuration code :

.csrf().disable()

This is also covered as an example problem here


Need Your Help

.getAbsoultePath prints the ProjectPath instead of SystemPath?

java file path

There is a little Problem with the file.getAbsolutePath() method and I tried also the f.getcanonicalPath(); method.

Select Rows in a Table in SSRS

reporting-services ssrs-2008-r2 ssrs-2012 ssrs-tablix

Is there a way to select rows in table in SSRS? What I mean is, when a table is populated with rows of data, I would like to select the rows of a table and perform some action on them. Like in a grid