Announcement Announcement Module
Collapse
No announcement yet.
Allow Http OPTIONS for j_spring_security_check Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Allow Http OPTIONS for j_spring_security_check

    Hi,
    I am currently trying to implement a login scenario for a REST API based on Spring Security. As the API needs to be able to allow cross domain logins, I am currently struggeling with the following issue:
    According to the specification of CORS (https://developer.mozilla.org/en-US/...access_control) each cross domain access is pre-bound with an OPTIONS request. The problem is, that j_spring_security_check always returns a 403 - FORBIDDEN, which indicates that j_spring_security_check only allows POST requests, right?

    My config for j_spring_security_check looks like this:

    Code:
      <http auto-config="true"  entry-point-ref="authenticationEntryPoint">
            <form-login login-processing-url="/j_spring_security_check"
            			authentication-success-handler-ref="baseAuthenticationSuccessHandler"
                        authentication-failure-handler-ref="baseAuthenticationFailureHandler"/>
            <logout success-handler-ref="baseLogoutSuccessHandler" />
        </http>
    Any idea, how I can enable the OPTIOS request for j_spring_security_check?

    Regards,
    Johannes

  • #2
    I doubt you should be using the form-login stuff for such a requirement. I probably would implement a new entrypoint and handler to support CORS instead of hacking/bolting it on to the current classes. I would consider it a new way of doing authentication (maybe based of preauthentication?).

    Comment


    • #3
      Hi Marten,
      first of all, thanks for your reply. For the entry-point stuff etc. I sticked to that: http://www.harezmi.com.tr/allowing-r...ement/?lang=en, which seems to work so far. Do you have a good resource I could grab and get along with?

      Code:
          <global-method-security pre-post-annotations="enabled"/>
          <beans:bean id="baseAuthenticationProvider" class="de.cloudscale.security.BaseAuthenticationProvider"/>
      	
          <beans:bean id="authenticationEntryPoint"
                      class="de.cloudscale.security.Http401DeniedEntryPoint"/>
          <beans:bean id="baseAuthenticationSuccessHandler"
                      class="de.cloudscale.security.BaseAuthenticationSuccessHandler"/>
          <beans:bean id="baseAuthenticationFailureHandler"
                      class="de.cloudscale.security.BaseAuthenticationFailureHandler"/>
          <beans:bean id="baseLogoutSuccessHandler"
                      class="de.cloudscale.security.BaseLogoutSuccessHandler"/>
      
      	<beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>
      
      	    
          <http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
              <form-login login-processing-url="/login"
              			authentication-success-handler-ref="baseAuthenticationSuccessHandler"
                          authentication-failure-handler-ref="baseAuthenticationFailureHandler"/>
              <logout success-handler-ref="baseLogoutSuccessHandler" />
              
              <intercept-url pattern="/user/**" access="isAuthenticated()" method="PUT" />
          </http>
      	
      	<authentication-manager>
      		<authentication-provider>
      			<password-encoder ref="encoder" />
      			<user-service>
      				<user name="rod" 
      			      password="864acff7515e4e419d4266e474ea14a889dce340784038b704a30453e01245eed374f881f3df8e1e" 
      			      authorities="user" />
      			</user-service>
      		</authentication-provider>
      	</authentication-manager>
      Current state of application-security.xml

      Regards,
      Johannes
      Last edited by johanneshiemer; Jan 10th, 2013, 03:16 AM.

      Comment

      Working...
      X