Method not allowed HTTPS spring
how it’s going?
I have a RestApi built in Spring. There are some functional endpoints using GET and POST Methods. I tried add a https configuration as below:
@Configuration public class ServerConfig { @Bean public ServletWebServerFactory servletContainer() { TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() { @Override protected void postProcessContext(Context context) { SecurityConstraint securityConstraint = new SecurityConstraint(); securityConstraint.setUserConstraint("CONFIDENTIAL"); SecurityCollection collection = new SecurityCollection(); collection.addPattern("/*"); securityConstraint.addCollection(collection); context.addConstraint(securityConstraint); } }; tomcat.addAdditionalTomcatConnectors(getHttpConnector()); return tomcat; } private Connector getHttpConnector() { Connector connector = new Connector(TomcatServletWebServerFactory.DEFAULT_PROTOCOL); connector.setScheme("http"); connector.setPort(8080); connector.setSecure(false); connector.setRedirectPort(8081); return connector; } } Before I had like http://localhost:8080/api/candidates [GET] and after added this class, the url was redirecting to https, what is normal, so now I am redirecting to https://localhost:8081/api/candidates.
After that I have done this, when I try access the endpoint without HTTPS http://localhost:8080/api/candidates using GET I can retrieve all information, but when I try using POST to send some data I receive Method not allowed but GET is working yet. Does anyone knows why?
I found this post, and it was exaclty what I was looking for. If you want see please check Spring Boot: redirect from HTTP to HTTPS results in 405 error for PUT method
A redirect is specifically to inform the client (e.g. web browser) to do a GET request using a given URL, so the result of a redirect cannot be a PUT, POST, DELETE, or any other HTTP method.
In this context, the main purpose of redirecting to HTTPS is to secure the connection from snooping, i.e. ensure that no one can see confidential information. This works well for a GET, since you haven’t sent confidential information yet1, assuming it is the response that contains confidential information.
Redirecting a PUT or a POST to HTTPS is meaningless, since you already sent the payload (the confidential data) over an unsecure connection.
Your client needs to be told to use HTTPS before it sends the data, i.e. when it builds the PUT / POST request, it needs to be given an HTTPS URL.
Fix the client code, e.g. the JavaScript code that generates the HTTP PUT, so it uses HTTPS. Redirecting is too late, and entirely wrong.
It is actually a good thing that redirect of PUT failed, because it forces you to correctly secure your web application. If it hadn’t failed, you’d mistakenly have thought that you web application was secured by the redirect, when in fact it wasn’t.
Redirecting GET requests is not the same as redirecting POST requests. Please read this. They state following:
Redirecting GET requests, which contain no data other then a query string, is a simple process. However, POST requests are more difficult to redirect because a browser responding to a 302 or 301 redirection converts an initial POST request to a GET request—a process that loses the original POST request data.
