Spring Security Rest Basic authentication

4
votes

I'm working with Spring security 4 XML based configuration.

This is my configuration : 

      <security:http use-expressions="true" authentication-manager-ref="authenticationManager" entry-point-ref="authenticationEntryPoint">
            <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
            <security:form-login authentication-success-handler-ref="authenticationSuccessHandler"
                                 authentication-failure-handler-ref="authenticationFailureHandler"
                                 />
            <security:logout success-handler-ref="logoutSuccessHandler"/>
            <security:csrf disabled="true"/>
        </security:http>

        <security:authentication-manager id="authenticationManager">
            <security:authentication-provider>
                <security:user-service>
                    <security:user name="username" authorities="ROLE_USER" password="password"/>
                </security:user-service>
            </security:authentication-provider>
        </security:authentication-manager>

        <bean id="authenticationEntryPoint" class="package.CustomBasicAuthenticationEntryPoint">

The authenticationEntryPoint has the following implementation : 

public class CustomBasicAuthenticationEntryPoint implements AuthenticationEntryPoint {

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {

        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }
}

The problem is when I try to authenticate :

http://localhost:8080/myApp/api/j_spring_security_check with body : j_password=password&j_username=username

I have always a 401 error status because of my custom entry point. It seems to me that spring security is not calling the authentication-manager. Do I miss something ?

Thanks for helping.

Update

Thanks for your answers, I've been working with Spring Security 3.2, I changed j_username, j_password and j_spring_security_check to username, password and login. I still have the same problem : 401 code status : Spring Security is calling the custom authenticationEntryPoint even when I try to authenticate using a form (POST).

4
javaspringspring-security

4 Answers

3
votes

For Spring Security version 4, the default login processing URL is:

http://localhost:8080/myApp/login

(j_spring_security_check was used in earlier versions.)

Note that this is form login and has nothing to do with HTTP Basic authentication.

2
votes

In Spring 4 form field default names were changed from j_username and j_password to username and password. You should either change it in your request or explicitly set it in your xml config. Also login-processing-url default changed from j_spring_security_check to login. Here you can find some info about it.

1
votes

Summary of problems:

  1. As @holmis83 wrote, default login processing URL is login, see Spring Scurity Reference:

    • login-processing-url Maps to the filterProcessesUrl property of UsernamePasswordAuthenticationFilter. The default value is "/login".

  2. As @pomkine wrote, default parameters are username and password, see Spring Security Reference:

    • password-parameter The name of the request parameter which contains the password. Defaults to "password".
    • username-parameter The name of the request parameter which contains the username. Defaults to "username".

  3. Default HTTP method is POST, see UsernamePasswordAuthenticationFilter#setPostOnly:

    Defines whether only HTTP POST requests will be allowed by this filter. If set to true, and an authentication request is received which is not a POST request, an exception will be raised immediately and authentication will not be attempted. The unsuccessfulAuthentication() method will be called as if handling a failed authentication. Defaults to true but may be overridden by subclasses.

  4. As @holmis83 wrote, you use form-login and this is not HTTP Basic Authentication, see Spring Security Reference:

    If you want to use basic authentication instead of form login, then change the configuration to

    <http use-expressions="false">
    <intercept-url pattern="/**" access="ROLE_USER" />
    <http-basic />
</http>

    Basic authentication will then take precedence and will be used to prompt for a login when a user attempts to access a protected resource. Form login is still available in this configuration if you wish to use it, for example through a login form embedded in another web page.

0
votes

In my web.xml file, the url-pattern for Spring Security filterchain is : /api/*

I had to add the same url-pattern to the login-processing-url : "/api/" in my configuration file (login-form) to make it work : 

login-processing-url="/api/login"

Thanks for your answers.