Announcement Announcement Module
Collapse
No announcement yet.
<sec:http-basic/> without form login Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • <sec:http-basic/> without form login

    Hi,

    I am developing a REST API and using spring security but every time the authentication fails I get a "Spring Security Application" popup. How do to prevent this from coming ?

    applicationContext.xml:

    Code:
    <sec:http auto-config="false" create-session="never" entry-point-ref="restAuthenticationEntryPoint">
            <sec:http-basic/>
            <sec:intercept-url pattern="/**" access="ROLE_USER"/>
        </sec:http>
       
       <bean id="authenticationProvider" class="com.jani.rest.CustomAuthenticationProvider"/>
       
        <sec:authentication-manager>
            <sec:authentication-provider ref="authenticationProvider"/>
        </sec:authentication-manager>

    in the CustomAuthenticationProvider I just check the username and password and in the restAuthenticationEntryPoint i send and Unauthorized error if authentication fails


    Code:
       @Override
       public void commence(HttpServletRequest request, HttpServletResponse response,
        AuthenticationException authException) throws IOException{
              response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");          
          }
    I appreciate any advice, I would like to always throw the authorized error when authentication fails, in my case it does not work using popups since I am developing an API

    Thanks,
    JaniR

  • #2
    Actually when I call the REST resource without any credentials, I get 401 Unauthorized in return but when I get credentials and they are wrong I get redirected to a popup window titled "Spring Security Application" to give the credentials. How do I return the same 401 in this case ?


    Originally posted by janir View Post
    Hi,

    I am developing a REST API and using spring security but every time the authentication fails I get a "Spring Security Application" popup. How do to prevent this from coming ?

    applicationContext.xml:

    Code:
    <sec:http auto-config="false" create-session="never" entry-point-ref="restAuthenticationEntryPoint">
            <sec:http-basic/>
            <sec:intercept-url pattern="/**" access="ROLE_USER"/>
        </sec:http>
       
       <bean id="authenticationProvider" class="com.jani.rest.CustomAuthenticationProvider"/>
       
        <sec:authentication-manager>
            <sec:authentication-provider ref="authenticationProvider"/>
        </sec:authentication-manager>

    in the CustomAuthenticationProvider I just check the username and password and in the restAuthenticationEntryPoint i send and Unauthorized error if authentication fails


    Code:
       @Override
       public void commence(HttpServletRequest request, HttpServletResponse response,
        AuthenticationException authException) throws IOException{
              response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");          
          }
    I appreciate any advice, I would like to always throw the authorized error when authentication fails, in my case it does not work using popups since I am developing an API

    Thanks,
    JaniR

    Comment


    • #3
      I have the same problem, raise a 401 error inside a class that extends GenericFilterBean
      Any progress with this task?

      Comment


      • #4
        Make sure you are using http-basic@entry-point-ref to point to the AuthenticationEntryPoint you wish to use for a failed authentication attempt. For example, the configuration should look something like:

        Code:
        <sec:http entry-point-ref="restAuthenticationEntryPoint" ... >
            ...
            
            <sec:http-basic entry-point-ref="restAuthenticationEntryPoint"/>
        </sec:http>

        Comment


        • #5
          Finally I have implemented correctly Spring security.
          Using entry-point-ref for raising a error for invalid request as sugested by Rob and handling the autentication extending GenericFilterBean.

          I have used this guide.
          http://blog.springsource.org/2010/08...le-app-engine/

          Comment

          Working...
          X