Hi everybody,

We have an ExtJS javascript application with a Tomcat/Spring/SpringSecurity backend exposing REST services.

We have the standard SpringSecurity redirection to the login page when the user is not authenticated and it loads the application the first time, but for the REST services (/services/*) we would like to receive the HTTP 403 instead of the html of the login page in the response.

Do you please have an advice?
Thanks in advance.

You will want to use the DelegatingAuthenticationEntryPoint. For help using it I would look at its javadoc and search for it on the forums. There are quite a few threads (http://www.google.com/search?hl=en&q=site%3Aforum.springsource.org+delegatingauthenti cationentrypoint+rwinch&aq=f&aqi=&aql=&oq=&gs_rfai=) on it out there but this one (http://forum.springsource.org/showthread.php?t=94913) is a pretty good one.

Thank you for answer Rob,

In fact what I would like to do is overriding the DefaultRedirectStrategy that is instanciated directly (why not DI :-) ) in the LoginUrlAuthenticationEntryPoint.

Just to confirm...you were able to solve your problem then?

Yes but in a very inelegant way. I had to create a CustomLoginUrlAuthenticationEntryPoint that is a raw copy of the LoginUrlAuthenticationEntryPoint (as this class is really not designed to be overrided) where I can inject a RedirectStrategy, and a CustomRedirectStrategy that sends a 403 for a list of urls instead of redirecting to the login page.

Thanks for helping anyway.

Glad you found a solution that works :) If you want a cleaner solution, I would recommend you look at the suggestion that I posted.

I'm always interested in finding a clean(er) solution :-)

I thought that the DelegatingAuthenticationEntryPoint was made to configure different EntryPoints based on a regexp, right?
But I don't need two EntryPoints, but just a specific Redirect(ion)Strategy based on a regexp.
Or did I miss something?

I thought that the DelegatingAuthenticationEntryPoint was made to configure different EntryPoints based on a regexp, right?

An AuthenticationEntryPoint can do redirections and more.


But I don't need two EntryPoints, but just a specific Redirect(ion)Strategy based on a regexp.
Or did I miss something?

I think I may be a big confused with your requirements. You mentioned you would send a 403 for a list of URLs...403 does not include a redirect and thus I don't know why you would use a RedirectStrategy for this. The configuration below would send a 403 for any url that starts with /services/ and redirect to the login page for any other url.

<http ... entry-point-ref="entryPoint">
...
</http>

<b:bean id="entryPoint" class="org.springframework.security.web.authentication.De legatingAuthenticationEntryPoint">
<b:constructor-arg>
<b:map>
<b:entry>
<b:key>
<b:bean class="ServicesRequestMatcher"/>
</b:key>
<b:bean class="org.springframework.security.web.authentication.Ht tp403ForbiddenEntryPoint"/>
</b:entry>
</b:map>
</b:constructor-arg>
<b:property name="defaultEntryPoint">
<b:bean class="org.springframework.security.web.authentication.Lo ginUrlAuthenticationEntryPoint">
<b:property name="loginFormUrl" value="/login"/>
</b:bean>
</b:property>
</b:bean>

public class ServicesRequestMatcher implements RequestMatcher {
public boolean matches(HttpServletRequest request) {
String url = UrlUtils.buildRequestUrl(request);
return url.startsWith("/services/");
}
}


If this is not what you are looking for, please clarify your requirements. An example might help to illustrate what you are looking for.

Hum! It seems that I didn't really understand how DelegatingAuthenticationEntryPoint works as the configuration above suits perfectly my needs and is MUCH nicer than what I wrote!

Thanks a lot Rob.