Return 403 instead of 401 from Basic Auth

[jacek99]

I am using a custom AuthenticationProvider within a BasicProcessingFilter to implement basic HTTP auth.

However, in case of failure I would like it to return a 403 (forbidden) instead of a 401 (i.e. I don't want the browser dialog to pop up).

Where can I configure the HTTP error code to be returned?

Code:

<bean id="vasmAuthenticationProvider" class="com.rp.security.VasmAuthenticationProvider">
		<security:custom-authentication-provider />
	</bean>

	<bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
		<property name="authenticationManager">
			<ref bean="_authenticationManager" />
		</property>
		<property name="authenticationEntryPoint">
			<ref bean="authenticationEntryPoint" />
		</property>
		<security:custom-filter position="PRE_AUTH_FILTER" />
	</bean>
	<bean id="authenticationEntryPoint" class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
		<property name="realmName" value="RP" />
	</bean>

	<!-- The authentication Manager that forwards the handling to the provider manager -->
	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref bean="vasmAuthenticationProvider" />
			</list>
		</property>
	</bean>

[Marten Deinum]

You will have to create your own (or extend) BasicAuthenticationEntryPoint. That is sending the 401 to the client.

[jacek99]

I presume you mean BasicProcessingFilterEntryPoint?

[Marten Deinum]

I was checking the spring-security 3.0 sources, it got renamed in that release . But you are correct.

[jacek99]

OK, so I presume I would have to override the commence() method.

I did this:

Code:

public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException)
			throws IOException, ServletException {
		super.commence(request, response, authException);
		HttpServletResponse h = (HttpServletResponse) response;
		h.setStatus(403);
}

But when I call it via CURL with a wrong user/password it still shows 401:

Code:

<body><h2>HTTP ERROR 401</h2>

Any suggestions?

P.S. My new entry point is getting called, I checked that.

[jacek99]

if I try sendError(403) I get an IllegalStateException since response has already been committed....

[jacek99]

Got it, should not have called super. Looked at the original source code and replaced my commence() with:

Code:

HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, authException.getMessage());

Works like a charm, thanks for pointing me to the right direction.