Rest basic authentication via spring security without form-login

13
votes

I am trying to create a restful web service that will be used by other web services. Ideally, when a client access the service, and isn't authenticated, they should get a 401. I want a user to be able to authenticate by adding an authentication header to the request. I don't want the user to fill out a login form, and post that. I also don't want it to store any login credentials in a cookie (ie keeping state) it should all be in the auth header send with each request. I have used spring roo to create the web service.

What I have currently, (taken from one of the spring security 3.1 tutorials), when the user gets a 401, they are promted with a login page, and then post the page, getting a cookie that they send with each request.

Here is my spring security xml.

 <http use-expressions="true">
   <intercept-url pattern="/customers/**" access="isAuthenticated()" />
 <intercept-url pattern="/**" access="denyAll" />
<form-login />
 </http>
<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="alice" password="other" authorities="user" />
            <user name="custome1" password="other" authorities="user" />
        </user-service>
    </authentication-provider>
</authentication-manager>

When I send a request from curl, i get the following:

 $ curl -i -H "Accept: application/json" -H "Authorization: Basic Y3VzdG9tZXIxOm90aGVy" http://localhost:8080/Secured/customers

 HTTP/1.1 302 Found
 Server: Apache-Coyote/1.1
 Set-Cookie: JSESSIONID=B4F983464F68199FA0160DBE6279F440; Path=/Secured/; HttpOnly
 Location:      http://localhost:8080/Secured/spring_security_login;jsessionid=B4F983464F68199FA0160DBE6279F440
 Content-Length: 0
 Date: Thu, 25 Apr 2013 17:18:48 GMT

where my basic header token is base64(customer1:other)

How can I get the web service to accept the auth header, and not redirect me to a login page?

When I remove the from security.xml, I get the following:

excpetion:org.springframework.beans.factory.parsing.BeanDefinitionParsingException:
    Configuration problem: No AuthenticationEntryPoint could be established.
    Please make sure you have a login mechanism configured through the namespace
    (such as form-login) or specify a custom AuthenticationEntryPoint with the
    'entry-point-ref' attribute
3
springspring-securitybasic-authentication

3 Answers

9
votes

Here is an example non-xml configuration for Rest authentication or with form or with basic whatever needed:

.and().httpBasic();

does the magic! ))

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/someurl").hasRole("ADMIN")
            .antMatchers("/anotherurl").hasRole("USER")
            .antMatchers("/", "main").permitAll().anyRequest().authenticated()
            .and()
            .httpBasic();

        http.formLogin()
            .loginPage("/login").permitAll()
            .and()
            .logout().permitAll();
    }
...
}
8
votes

I needed to remove <form-login> and add <http-basic>. Also added create-session-"stateless" to my config.

 <http use-expressions="true" create-session="stateless" >
     <intercept-url pattern="/customers/**" access="isAuthenticated()" />
     <intercept-url pattern="/**" access="denyAll" />
     <http-basic/>
 </http>
1
votes

follow this test demo of jax-rs with spring security http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security/

this is simple approach for authentication without promoting credentials.

you may go with implementing RequestHandler and overriding 

public Response handleRequest(Message message, ClassResourceInfo resourceClass);

follow : http://cxf.apache.org/docs/secure-jax-rs-services.html for complete set of approach.