Spring Security - Dispatch to /j_spring_security_check

Question

I have spring security in place and login via login.jsp works perfectly fine.

Now, I have to automatically get the user logged in based on the URL (similar to Single

Answer 1

You could bypass the check by using a request wrapper which returns "POST" instead of "GET" for getMethod.

However, the check is there for a reason. It is generally considered bad practice to send credentials as URL parameters. Even if you are using an encrypted parameter, it is still technically equivalent to sending unencrypted authentication credentials since anyone who steals it can use it to authenticate.

Answer 2

/j_spring_security_check URL is mapped to UsernamePasswordAuthenticationFilter to serve the requests.

In UsernamePasswordAuthenticationFilter, by default, the postOnly is set to true.

The following change in spring-security.xml which sets postOnly to false worked.

<bean id="authenticationFilter" 
      class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
      p:postOnly="false" />

Also, in web.xml, the following configuration is required:

<filter-mapping> <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>