Allow Http OPTIONS for j_spring_security_check

**johanneshiemer** · Jan 9th, 2013, 08:43 AM

Hi,
I am currently trying to implement a login scenario for a REST API based on Spring Security. As the API needs to be able to allow cross domain logins, I am currently struggeling with the following issue:
According to the specification of CORS (https://developer.mozilla.org/en-US/...access_control) each cross domain access is pre-bound with an OPTIONS request. The problem is, that j_spring_security_check always returns a 403 - FORBIDDEN, which indicates that j_spring_security_check only allows POST requests, right?

My config for j_spring_security_check looks like this:

Code:

  <http auto-config="true"  entry-point-ref="authenticationEntryPoint">
        <form-login login-processing-url="/j_spring_security_check"
        			authentication-success-handler-ref="baseAuthenticationSuccessHandler"
                    authentication-failure-handler-ref="baseAuthenticationFailureHandler"/>
        <logout success-handler-ref="baseLogoutSuccessHandler" />
    </http>

Any idea, how I can enable the OPTIOS request for j_spring_security_check?

Regards,
Johannes

**Marten Deinum** · Jan 10th, 2013, 01:25 AM

I doubt you should be using the form-login stuff for such a requirement. I probably would implement a new entrypoint and handler to support CORS instead of hacking/bolting it on to the current classes. I would consider it a new way of doing authentication (maybe based of preauthentication?).

**johanneshiemer** · Jan 10th, 2013, 02:10 AM

Hi Marten,
first of all, thanks for your reply. For the entry-point stuff etc. I sticked to that: http://www.harezmi.com.tr/allowing-r...ement/?lang=en, which seems to work so far. Do you have a good resource I could grab and get along with?

Code:

    <global-method-security pre-post-annotations="enabled"/>
    <beans:bean id="baseAuthenticationProvider" class="de.cloudscale.security.BaseAuthenticationProvider"/>
	
    <beans:bean id="authenticationEntryPoint"
                class="de.cloudscale.security.Http401DeniedEntryPoint"/>
    <beans:bean id="baseAuthenticationSuccessHandler"
                class="de.cloudscale.security.BaseAuthenticationSuccessHandler"/>
    <beans:bean id="baseAuthenticationFailureHandler"
                class="de.cloudscale.security.BaseAuthenticationFailureHandler"/>
    <beans:bean id="baseLogoutSuccessHandler"
                class="de.cloudscale.security.BaseLogoutSuccessHandler"/>

	<beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>

	    
    <http auto-config="true" use-expressions="true" entry-point-ref="authenticationEntryPoint">
        <form-login login-processing-url="/login"
        			authentication-success-handler-ref="baseAuthenticationSuccessHandler"
                    authentication-failure-handler-ref="baseAuthenticationFailureHandler"/>
        <logout success-handler-ref="baseLogoutSuccessHandler" />
        
        <intercept-url pattern="/user/**" access="isAuthenticated()" method="PUT" />
    </http>
	
	<authentication-manager>
		<authentication-provider>
			<password-encoder ref="encoder" />
			<user-service>
				<user name="rod" 
			      password="864acff7515e4e419d4266e474ea14a889dce340784038b704a30453e01245eed374f881f3df8e1e" 
			      authorities="user" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

Current state of application-security.xml

Regards,
Johannes

Thread: Allow Http OPTIONS for j_spring_security_check

Thread Tools

Display

Allow Http OPTIONS for j_spring_security_check

Posting Permissions