I am trying to create a restful web service that will be used by other web services. Ideally, when a client access the service, and isn't authenticated, they should get a 401. I want a user to be able to authenticate by adding an authentication header to the request. I don't want the user to fill out a login form, and post that. I also don't want it to store any login credentials in a cookie (ie keeping state) it should all be in the auth header send with each request. I have used spring roo to create the web service.
What I have currently, (taken from one of the spring security 3.1 tutorials), when the user gets a 401, they are promted with a login page, and then post the page, getting a cookie that they send with each request.
Here is my spring security xml.
<http use-expressions="true">
<intercept-url pattern="/customers/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="denyAll" />
<form-login />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="alice" password="other" authorities="user" />
<user name="custome1" password="other" authorities="user" />
</user-service>
</authentication-provider>
</authentication-manager>
When I send a request from curl, i get the following:
$ curl -i -H "Accept: application/json" -H "Authorization: Basic Y3VzdG9tZXIxOm90aGVy" http://localhost:8080/Secured/customers
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B4F983464F68199FA0160DBE6279F440; Path=/Secured/; HttpOnly
Location: http://localhost:8080/Secured/spring_security_login;jsessionid=B4F983464F68199FA0160DBE6279F440
Content-Length: 0
Date: Thu, 25 Apr 2013 17:18:48 GMT
where my basic header token is base64(customer1:other)
How can I get the web service to accept the auth header, and not redirect me to a login page?
When I remove the from security.xml, I get the following:
excpetion:org.springframework.beans.factory.parsing.BeanDefinitionParsingException:
Configuration problem: No AuthenticationEntryPoint could be established.
Please make sure you have a login mechanism configured through the namespace
(such as form-login) or specify a custom AuthenticationEntryPoint with the
'entry-point-ref' attribute