HTTP 404 or 405 when accessing protected application root path context resource without a trailing slash

Solution Verified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.2.4 - 7.2.7
    • 7.3.0
  • Access a secured application root context path without a trailing slash (e.g. "https://localhost:8443/context")

Issue

  • Getting HTTP 404 Not Found error:
...
                "request": {
                    "method": "POST",
                    "url": "https://localhost:8443/j_security_check",
                    "httpVersion": "HTTP/1.1",
                    ...
                ...
                },
                "response": {
                    "status": 404,
                    "statusText": "",
                    "httpVersion": "HTTP/1.1",
                    ...
                    "headers": [
                        ...
                    ],
                    "content": {
                        "size": 74,
                        "compression": -84,
                        "mimeType": "text/html",
                        "text": "<html><head><title>Error</title></head><body>404 - Not Found</body></html>"
                    },
                    ...
...
  • We recently updated EAP 7 and now we see issues with FORM authentication. No redirect occurs to add a trailing slash. When the FORM login is then submitted, the j_security_check request is made without the application context and fails:
localhost.localdomain - - [25/Mar/2020:15:51:42 -0400] "POST /j_security_check;jsessionid=2rinyfprMaTeJG4yNWSNptFHZvr73Vd1paGSWcOt HTTP/1.1" 405 104 "http://localhost:8080/SimpleWar" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" -

Resolution

Issue has been fixed in EAP 7.2.8 patch release version (as per reported bug This content is not included.JBEAP-18378), and also in EAP 7.3.1 patch release (as per bug This content is not included.JBEAP-18488).
Download and use those patches (or the latest available patches) respectively on the EAP 7.2.x and 7.3.x environments to resolve this issue.

If not applying the suggested patches, then some possible workarounds (at configuration level) are:

  • use JBoss CLI with Undertow rewrite filter or expression-filter, aka:

      /subsystem=undertow/configuration=filter/rewrite=test-rewrite-slash:add(redirect="true",target="%U/")
  /subsystem=undertow/server=default-server/host=default-host/filter-ref=test-rewrite-slash:add(predicate="equals(%R,/context)")

    or 

      /subsystem=undertow/configuration=filter/expression-filter=app-slash:add(expression="redirect('%U/')")
  /subsystem=undertow/server=default-server/host=default-host/filter-ref=app-slash:add(predicate="method(GET) and regex(pattern=/context, value=%U, full-match=true)")

  • modify the login.jsp file to send the POST always inside the context path:

        <form method="post" action="/context/j_security_check" enctype="application/x-www-form-urlencoded">
      Username <input type="text" name="j_username" /><br/>
      Password <input type="password" name="j_password" />
      <input type="submit" name="submit" value="Login" />
    </form>

Notes:
When the application is secured by means of using the Elytron security subsystem, then there may still be an Elytron specific aspect in this issue report, and which is tracked by This content is not included.JBEAP-19337 with a fix planned in up coming EAP 7.3.2 patch release.

Root Cause

SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.