Announcement Announcement Module
No announcement yet.
Same request sent multiple times after failed authentication Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Same request sent multiple times after failed authentication


    I'm using Spring Security to secure a SOAP web service that uses CXF.

    First, I create a JaxWsProxyFactoryBean, and the client. Then, I provide it with bad credentials (I use basic authentication). When I try to connect to the endpoint (i.e. sending a dummy request to the server), my request passes through the filters as expected.

    When the request arrives to the BasicAuthenticationFilter, the AuthenticationManager fails to authenticate the principal as expected. In the catch section, I see the following piece of code:

    if (ignoreFailure) {
       chain.doFilter(request, response);
    } else {
       authenticationEntryPoint.commence(request, response, failed);
    The ignoreFailure property is by default set to false, which is what I want. So the commence() method of the BasicAuthenticationEntryPoint is called. The following code is executed:

    response.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
    response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
    I understand that an Unauthorized error is sent back to the client but following this error, my client keeps sending the same request a certain number of times and the same process is repeated for all these requests (since the credentials stay the same). I would expect an error to be sent to the client but at this point, the client should not send the same request which failed to authenticate. I'm pretty sure it is related to the WWW-Authenticate header but I don't understand what is the point of resending the same request multiple times.


    EDIT: AFAIK, the WWW-Authenticate header is used by the server to request authentication to the client. The client then resends the request with an Authorization header. In my case, the Authorization header is already provided in the first request so the client is aware that authentication is required, it just doesn't have the right credentials.
    Last edited by Miko95; Jan 8th, 2013, 03:39 AM.