It is impossible to log in to a web application that is configured to use URL based session tracking and FORM based login.

Opening a secured page redirects correctly to the login page, and login form action is produced correctly with HttpServletResponse.encodeURL: result is "j_security_check;jsessionid=xxx".

However, undertow refuses to handle the request to j_security_check;jsessionid=xxxx. The result is HTTP error 405, POST not supported.

Similar problem occurs if the login form is posted using GET, or the login page forwards to j_security_check using sendRedirect with URL parameters. In this case undertow responds to j_security_check?foo=bar&and=so_on with HTTP error 404.