Authentication with RESTEasy + Spring Security

**Cesar M. Casasola** · Dec 4th, 2012, 10:11 AM

I'm trying to create a method authentication with RESTEasy.

My URLs REST are mapped with con Spring Security

I want to know how Spring Security can to recognize to authenticated user...

I've created a login URL and login method in a service class. This method is used in my web application and call other method that return true o false

Code:

@Path("/service/login")
public class LoginService {
	private UsuarioBusiness usuarioBusiness;
	
	@GET
	@Path("/go/{user}/{pass}")
	@Produces("application/json")
	public Response login(@PathParam("user") String usuario, @PathParam("pass") String pass){
          //call other method
	}
}

Code:

//Other method
public boolean login(String username, String password) {

		try {
			Authentication authenticate = authenticationManager.authenticate(
					new UsernamePasswordAuthenticationToken(username, password));
			if (authenticate.isAuthenticated()) {
				SecurityContextHolder.getContext().setAuthentication(authenticate);	
				return true;
			}
		} catch (AuthenticationException e) {	
			System.out.println("Error en login");
		}
		return false;
	}

But this only serves for that the app that call login service redirect to the homepage application. When the app want to access to other URL is rejected because is mapped with Spring Security

How I make for Spring Security recognize to my user authenticated?

In this post mentioned entry-point but I don't understand how associate to a URL

Thanks

**Rob Winch** · Dec 5th, 2012, 09:42 AM

First it is bad to include sensitive data in the URL or Query String since this information is much more easy to be leaked. Instead, you should include the username/password in a header or the body of a POST.

If you want to authenticate in your own code, then you need to grant access to the URL that you are authenticating to. To do this, update your configuration to look something liek this:

Code:

<http ... use-expression="true">
  <intercept-url pattern="/service/login/go/*" access="permitAll"/>
  ...
</http>

**Cesar M. Casasola** · Dec 5th, 2012, 01:59 PM

Originally Posted by Rob Winch

First it is bad to include sensitive data in the URL or Query String since this information is much more easy to be leaked. Instead, you should include the username/password in a header or the body of a POST.

If you want to authenticate in your own code, then you need to grant access to the URL that you are authenticating to. To do this, update your configuration to look something liek this:

Code:

<http ... use-expression="true">
  <intercept-url pattern="/service/login/go/*" access="permitAll"/>
  ...
</http>

Thanks for the advice

I forgot to mention that services are consumed by a mobile client. According to the value returned by the login service the mobile application redirected to homepage or to failure page. This has already been implemented.

I have all my URLs REST mapped

Code:

<http ... use-expression="true">
  <intercept-url pattern="/service/**" access="ROLE_USER"/>
  ...
</http>

Therefore, I want to know how my service cant recognize to my authenticated user so my URLs REST don't blocked for my user

Thread: Authentication with RESTEasy + Spring Security

Thread Tools

Display

Authentication with RESTEasy + Spring Security

Tags for this Thread

Posting Permissions