Merge branch 'ds3777' of https://github.com/TAMULib/DSpace into TAMULib-ds3777

dspace-spring-rest/src/main/java/org/dspace/app/rest/AuthenticationRestController.java

@@ -84,19 +84,23 @@ public class AuthenticationRestController implements InitializingBean {
         return authenticationStatusResource;
     }
 
-    @RequestMapping(value = "/login", method = {RequestMethod.GET, RequestMethod.POST})
+    @RequestMapping(value = "/login", method = {RequestMethod.POST})
     public ResponseEntity login(HttpServletRequest request, @RequestParam(name = "user", required = false) String user,
                                 @RequestParam(name = "password", required = false) String password) {
         //If you can get here, you should be authenticated, the actual login is handled by spring security
         //see org.dspace.app.rest.security.StatelessLoginFilter
 
         //If we don't have an EPerson here, this means authentication failed and we should return an error message.
-
         return getLoginResponse(request,
                                 "Authentication failed for user " + user + ": The credentials you provided are not " +
                                     "valid.");
     }
     
+    @RequestMapping(value = "/login", method = {RequestMethod.GET, RequestMethod.PUT, RequestMethod.PATCH, RequestMethod.DELETE})
+    public ResponseEntity login() {
+        return ResponseEntity.status(HttpStatus.METHOD_NOT_ALLOWED).body("Only POST is allowed for login requests.");
+    }
+
     @RequestMapping(value = "/logout", method = {RequestMethod.GET, RequestMethod.POST})
     public ResponseEntity logout() {
         //This is handled by org.dspace.app.rest.security.CustomLogoutHandler

dspace-spring-rest/src/main/java/org/dspace/app/rest/security/WebSecurityConfiguration.java

@@ -15,6 +15,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -50,6 +51,18 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
     @Autowired
     private CustomLogoutHandler customLogoutHandler;
 
+    @Override
+    public void configure(WebSecurity webSecurity) throws Exception
+    {
+        webSecurity
+            .ignoring()
+                .antMatchers(HttpMethod.GET, "/api/authn/login")
+                .antMatchers(HttpMethod.PUT, "/api/authn/login")
+                .antMatchers(HttpMethod.PATCH, "/api/authn/login")
+                .antMatchers(HttpMethod.DELETE, "/api/authn/login");
+    }
+
+
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http.headers().cacheControl();
@@ -81,8 +94,9 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
 
             //Configure the URL patterns with their authentication requirements
             .authorizeRequests()
-            //Allow GET and POST by anyone on the login endpoint
+            //Allow POST by anyone on the login endpoint
-            .antMatchers("/api/authn/login").permitAll()
+            .antMatchers(HttpMethod.POST,"/api/authn/login").permitAll()
+            //TRACE, CONNECT, OPTIONS, HEAD
             //Everyone can call GET on the status endpoint
             .antMatchers(HttpMethod.GET, "/api/authn/status").permitAll()
             .and()