#133 credentials shal be provided in request body and not as parameters

NOTE: with this change, we support both ways now, until the frontend
code is changed too.

Frontend task:
metasfresh/metasfresh-webui-frontend-legacy#323

metasfresh-webui-api/src/main/java/de/metas/ui/web/login/LoginRestController.java

@@ -18,6 +18,7 @@
 import org.springframework.context.ApplicationListener;
 import org.springframework.session.events.SessionDestroyedEvent;
 import org.springframework.stereotype.Component;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -33,6 +34,7 @@
 import de.metas.ui.web.base.session.UserPreference;
 import de.metas.ui.web.config.WebConfig;
 import de.metas.ui.web.login.exceptions.NotAuthenticatedException;
+import de.metas.ui.web.login.json.JSONLoginAuthRequest;
 import de.metas.ui.web.login.json.JSONLoginAuthResponse;
 import de.metas.ui.web.login.json.JSONLoginRole;
 import de.metas.ui.web.notification.UserNotificationsService;
@@ -53,11 +55,11 @@
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public
- * License along with this program.  If not, see
+ * License along with this program. If not, see
  * <http://www.gnu.org/licenses/gpl-2.0.html>.
  * #L%
  */
@@ -70,7 +72,7 @@ public class LoginRestController
 
 	@Autowired
 	private UserSession userSession;
-	
+
 	@Autowired
 	private UserNotificationsService userNotificationsService;
 
@@ -87,20 +89,26 @@ private void assertAuthenticated()
 				.orElseThrow(() -> new NotAuthenticatedException());
 	}
 
-	@RequestMapping(value = "/authenticate", method = RequestMethod.POST)
-	public JSONLoginAuthResponse authenticate(
-			@RequestParam("username") final String username //
-			, @RequestParam("password") final String password //
+	@PostMapping(value = "/authenticate")
+	public JSONLoginAuthResponse authenticate( //
+			@RequestBody(required = false) JSONLoginAuthRequest request //
+			, @Deprecated @RequestParam(name = "username", required = false) final String username_DEPRECATED //
+			, @Deprecated @RequestParam(name = "password", required = false) final String password_DEPRECATED //
 	)
 	{
 		userSession.assertNotLoggedIn();
+
+		if(request == null)
+		{
+			request = new JSONLoginAuthRequest(username_DEPRECATED, password_DEPRECATED);
+		}
 
 		final Login loginService = getLoginService();
 		final MSession session = createMSession(loginService);
 
 		try
 		{
-			final Set<KeyNamePair> availableRoles = loginService.authenticate(username, password);
+			final Set<KeyNamePair> availableRoles = loginService.authenticate(request.getUsername(), request.getPassword());
 
 			//
 			// Create JSON roles
@@ -286,12 +294,12 @@ public void loginComplete(@RequestBody final JSONLoginRole loginRole)
 		//
 		// Mark session as logged in
 		userSession.setLoggedIn(true);
-		
+
 		//
 		// Enable user notifications
 		userNotificationsService.enableForSession(userSession.getSessionId(), userSession.getAD_User_ID(), userSession.getAD_Language());
 	}
-	
+
 	@RequestMapping(value = "/isLoggedIn", method = RequestMethod.GET)
 	public boolean isLoggedIn()
 	{
@@ -332,18 +340,18 @@ public void logout(final HttpServletRequest request)
 		final MSession session = MSession.get(userSession.getCtx(), false);
 		destroySession(loginService, session);
 	}
-	
+
 	@Component
 	public static class SessionDestroyedListener implements ApplicationListener<SessionDestroyedEvent>
 	{
 		@Autowired
 		private UserNotificationsService userNotificationsService;
-		
+
 		public SessionDestroyedListener()
 		{
 			super();
 		}
-		
+
 		@Override
 		public void onApplicationEvent(final SessionDestroyedEvent event)
 		{

metasfresh-webui-api/src/main/java/de/metas/ui/web/login/json/JSONLoginAuthRequest.java

@@ -0,0 +1,57 @@
+package de.metas.ui.web.login.json;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonAutoDetect.Visibility;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/*
+ * #%L
+ * metasfresh-webui-api
+ * %%
+ * Copyright (C) 2017 metas GmbH
+ * %%
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public
+ * License along with this program. If not, see
+ * <http://www.gnu.org/licenses/gpl-2.0.html>.
+ * #L%
+ */
+
+@JsonAutoDetect(fieldVisibility = Visibility.ANY, getterVisibility = Visibility.NONE, setterVisibility = Visibility.NONE) // cannot use it because of "otherProperties"
+public class JSONLoginAuthRequest
+{
+	@JsonProperty("username")
+	private final String username;
+	@JsonProperty("password")
+	private final String password;
+
+	@JsonCreator
+	public JSONLoginAuthRequest( //
+			@JsonProperty("username") final String username //
+			, @JsonProperty("password") final String password //
+	)
+	{
+		this.username = username;
+		this.password = password;
+	}
+
+	public String getUsername()
+	{
+		return username;
+	}
+
+	public String getPassword()
+	{
+		return password;
+	}
+}