<sec:http-basic/> without form login

**janir** · Dec 2nd, 2012, 07:47 AM

Hi,

I am developing a REST API and using spring security but every time the authentication fails I get a "Spring Security Application" popup. How do to prevent this from coming ?

applicationContext.xml:

Code:

<sec:http auto-config="false" create-session="never" entry-point-ref="restAuthenticationEntryPoint">
        <sec:http-basic/>
        <sec:intercept-url pattern="/**" access="ROLE_USER"/>
    </sec:http>
   
   <bean id="authenticationProvider" class="com.jani.rest.CustomAuthenticationProvider"/>
   
    <sec:authentication-manager>
        <sec:authentication-provider ref="authenticationProvider"/>
    </sec:authentication-manager>

in the CustomAuthenticationProvider I just check the username and password and in the restAuthenticationEntryPoint i send and Unauthorized error if authentication fails

Code:

   @Override
   public void commence(HttpServletRequest request, HttpServletResponse response,
    AuthenticationException authException) throws IOException{
          response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");          
      }

I appreciate any advice, I would like to always throw the authorized error when authentication fails, in my case it does not work using popups since I am developing an API

Thanks,
JaniR

**janir** · Dec 2nd, 2012, 02:53 PM

Actually when I call the REST resource without any credentials, I get 401 Unauthorized in return but when I get credentials and they are wrong I get redirected to a popup window titled "Spring Security Application" to give the credentials. How do I return the same 401 in this case ?

Originally Posted by janir

Hi,

I am developing a REST API and using spring security but every time the authentication fails I get a "Spring Security Application" popup. How do to prevent this from coming ?

applicationContext.xml:

Code:

<sec:http auto-config="false" create-session="never" entry-point-ref="restAuthenticationEntryPoint">
        <sec:http-basic/>
        <sec:intercept-url pattern="/**" access="ROLE_USER"/>
    </sec:http>
   
   <bean id="authenticationProvider" class="com.jani.rest.CustomAuthenticationProvider"/>
   
    <sec:authentication-manager>
        <sec:authentication-provider ref="authenticationProvider"/>
    </sec:authentication-manager>

in the CustomAuthenticationProvider I just check the username and password and in the restAuthenticationEntryPoint i send and Unauthorized error if authentication fails

Code:

   @Override
   public void commence(HttpServletRequest request, HttpServletResponse response,
    AuthenticationException authException) throws IOException{
          response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");          
      }

I appreciate any advice, I would like to always throw the authorized error when authentication fails, in my case it does not work using popups since I am developing an API

Thanks,
JaniR

**CGarces** · Jan 29th, 2013, 02:20 PM

I have the same problem, raise a 401 error inside a class that extends GenericFilterBean
Any progress with this task?

**Rob Winch** · Jan 30th, 2013, 10:44 AM

Make sure you are using http-basic@entry-point-ref to point to the AuthenticationEntryPoint you wish to use for a failed authentication attempt. For example, the configuration should look something like:

Code:

<sec:http entry-point-ref="restAuthenticationEntryPoint" ... >
    ...
    
    <sec:http-basic entry-point-ref="restAuthenticationEntryPoint"/>
</sec:http>

**CGarces** · Jan 30th, 2013, 03:53 PM

Finally I have implemented correctly Spring security.
Using entry-point-ref for raising a error for invalid request as sugested by Rob and handling the autentication extending GenericFilterBean.

I have used this guide.
http://blog.springsource.org/2010/08...le-app-engine/

Thread: <sec:http-basic/> without form login

Thread Tools

Display

<sec:http-basic/> without form login

Tags for this Thread

Posting Permissions