login returning 200 instead of 302

**eugenparaschiv** · Jul 4th, 2011, 05:26 AM

I'm building a REST based API and I am trying to get the login REST call to return 200 instead of 302. Is there any example of such a Spring Security configuration?
Any help is appreciated.
Thanks.
Eugen.

**Luke Taylor** · Jul 4th, 2011, 07:03 AM

Use a custom AuthenticationSuccessHandler to control the post-login behaviour.

**eugenparaschiv** · Jul 4th, 2011, 08:41 AM

Yes, I was rather hoping I wouldn't have to.
The problem with that is that my app is in fact a REST API - I am not using the <form-login> element, so I cannot just provide a AuthenticationSuccessHandler.
The only other way I'm aware of is to define another customer filter to replace the standard UsernamePasswordAuthenticationFilter and provide my AuthenticationSuccessHandler there.
The other problem is that I need to check if I have this filter in my chain right now - it's javadoc says "Processes an authentication form submission" and seeing how there's no form submission in play and no <form-login> element to create it, it may simply not there. What's more, I could add it but I'm unsure if that's the right way to go just to change the http response code.
Is there a simpler way I'm missing or is this the recommended way of achieving what I'm after?
Thanks for the help.
Eugen.

**Luke Taylor** · Jul 4th, 2011, 03:34 PM

Ok, well it would help if you could explain what you are using for authentication or attach your configuration.

**eugenparaschiv** · Aug 8th, 2011, 06:52 AM

I have resolved this - attaching my notes for reference if anyone else stumbles upon this:

- note: because it’s a REST API, there’s not <login-form> element
- specify a custom filter for the FORM_LOGIN_FILTER position
<http ...>
...
<custom-filter ref="myFilter" position="FORM_LOGIN_FILTER" />
...
</http>

- define the filter and point to a custom success handler:
<beans:bean id="myFilter" class="org.springframework.security.web.authentica tion.UsernamePasswordAuthenticationFilter">

<beans

roperty name="authenticationManager" ref="authenticationManager" />

<beans

roperty name="authenticationSuccessHandler" ref="mySuccessHandler" />
</beans:bean>
<beans:bean id="mySuccessHandler" class="com.avaya.thunder.server.security.MySavedRe questAwareAuthenticationSuccessHandler" />

- define the MySavedRequestAwareAuthenticationSuccessHandler bean:
extends AbstractAuthenticationTargetUrlRequestHandler implements AuthenticationSuccessHandler
- the handle method overrides the handle from AbstractAuthenticationTargetUrlRequestHandler but doesn’t do redirect

- the response code is now 200 instead of 302

**Luke Taylor** · Aug 9th, 2011, 05:29 AM

You don't need to add the filter explicitly - you can inject an AuthenticationSuccessHandler using the namespace.

**eugenparaschiv** · Aug 9th, 2011, 05:44 AM

Could you please point me to an example?
Thanks.

**Rob Winch** · Aug 9th, 2011, 08:42 PM

You can find the documentation in the appendix. A short example would be:

Code:

<http ..>
  <form-login authentication-success-handler-ref="authSuccessHandler"/>
</http>
<b:bean id="authSuccessHandler" class="MyAuthenticationSuccessHandler"/>

**eugenparaschiv** · Aug 10th, 2011, 04:30 AM

Yes, I am aware of that, but as I mentioned, being a REST API only, there is no <form-login> element.
Eugen.

Thread: login returning 200 instead of 302

Thread Tools

Display

login returning 200 instead of 302

Tags for this Thread

Posting Permissions