Announcement Announcement Module
Collapse
No announcement yet.
HTTP BASIC - Problem with the authentication window Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • HTTP BASIC - Problem with the authentication window

    Hi all,

    I use Spring Security 3.0.5 with Spring Framework 3.0.5. I have an application with <http-basic> authentication, to authenticate users and to get their autorizations (using a LDAP).
    When I type the url of my webapp in the browser (tested with chrome and firefox), I get the authentication window, but I have 2 problems :

    1/ If the provided username does not exist, or if the password is wrong, the authentication window is displayed indefinitely, as I do not provide valid username and password, instead of displaying a 401 error page. The 401 error page is only displayed when I click on the "Cancel" button of the authentication window.
    On the contrary, if user and password are valid but the user is not allowed to access the webapp, I have the 403 error page displayed well immediately.

    2/ 2nd problem : when authentication failed (because of 401 or 403 error), if I type again the url of my webapp in the browser, the authentication window is no longer displayed and the last error page (401 or 403) is displayed immediately, as if Spring would remember the last authentication attempt and no longer tried to authenticate. However I did not activate "remember-me", or else I missed something.

    Here is my spring-security.xml :
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:sec="http://www.springframework.org/schema/security"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                  http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.4.xsd">
     
       <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
          <property name="locations">
             <list>
                <!-- properties for ldap connection -->
                <value>classpath:spring_ldap.properties</value>
             </list>
          </property>
       </bean>
     
       <sec:http>
          <sec:intercept-url pattern="/**" access="ROLE_USER" />
          <sec:http-basic />
       </sec:http>
     
       <sec:ldap-server url="${tammis.ldap.url}"
                      manager-dn="${tammis.ldap.managerDn}"
                      manager-password="${tammis.ldap.managerPwd}" />
     
       <sec:authentication-manager>
          <sec:ldap-authentication-provider  
                      user-search-filter="${tammis.ldap.userSearchFilter}"
                      user-search-base="${tammis.ldap.userSearchBase}"
                      group-search-filter="${tammis.ldap.groupSearchFilter}"
                      group-search-base="${tammis.ldap.groupSearchBase}"
                      group-role-attribute="${tammis.ldap.groupRoleAttribute}" />
       </sec:authentication-manager> 
     
    </beans>
    Authentication itself works well, this is the authentication request which is annoying me.

    PS : Sorry if my english is bad because I'm french...

    Thanx in advance

    Stieuma

  • #2
    Here is some workaround but it might be better to switch to a form based authentication: http://loudvchar.blogspot.ca/2010/11...p-for-401.html

    Comment

    Working...
    X