REST call with Basic Auth, new configuration Spring 3.0.5

[bh5k]

Hi ppl,

I am trying to do a Basic Auth with my REST request using Spring 3.0.5. I have seen a bunch of posts, but they are all slightly off or using older versions of the jars and things have changed. For whatever reason, my Basic configuration isn't being invoked with the request and I am not getting error messages in the console. It just redirects to the login page (which I obviously don't want it to do with the REST call).

My securityContext.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:b="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

	<security:global-method-security secured-annotations="enabled" />

    <security:http auto-config="true" use-expressions="true">
	
		<intercept-url pattern="/rest/**"							access="hasRole('ROLE_EMPLOYEE')"/>
        <intercept-url pattern="/**"							access="hasRole('ROLE_EMPLOYEE')"/>

		<http-basic/>

        <form-login login-page="/login.htm" authentication-failure-url="/login.htm?login_error=1"/>
        
        <logout logout-success-url="/index.htm" logout-url="/logout" invalidate-session="true"/>
        
    </security:http>

    <authentication-manager alias="authenticationManager">
    	<authentication-provider>
	    	<user-service>
	        	<user name="ntwo" password="ntwo" authorities="ROLE_HR, ROLE_EMPLOYEE" />
				<user name="jmcdoe" password="jmcdoe" authorities="ROLE_EMPLOYEE" />
    	  	</user-service>
		</authentication-provider>
    </authentication-manager>

    <!-- Automatically receives AuthenticationEvent messages -->
    <b:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
	
</b:beans>

When I call the code using poster or a unit test invoked through httpcommons, it just redirects to the login. Any ideas?

Thanks in advance.

[Luke Taylor]

Are you sending a Basic Authentication header with the request?

[bh5k]

Code:

        HttpClient httpClient = new HttpClient();

        Credentials defaultcreds = new UsernamePasswordCredentials(username,
                password);
        httpClient.getState().setCredentials(AuthScope.ANY, defaultcreds);

        HttpMethod httpMethod = new GetMethod(
                "http://localhost:8080/RESTAuthenticate/rest/employee/1.json");
        httpMethod.setRequestHeader("Accept", "application/xml");
        httpClient.executeMethod(httpMethod);

is what I am sending. So, yes I think it is going through correctly.

[Luke Taylor]

Debug the requests (on either the client or server side) and verify for certain that the header is actually being set.

[bh5k]

Hmm, not looking like it:

Code:

09:07:59,542 DEBUG header: >> "GET /RESTAuthenticate/rest/employee/1.json HTTP/1.1[\r][\n]"
09:07:59,577 DEBUG header: >> "Accept: application/xml[\r][\n]"
09:07:59,578 DEBUG header: >> "User-Agent: Jakarta Commons-HttpClient/3.1[\r][\n]"
09:07:59,578 DEBUG header: >> "Host: localhost:8080[\r][\n]"
09:07:59,578 DEBUG header: >> "[\r][\n]"
09:07:59,819 DEBUG header: << "HTTP/1.1 302 Moved Temporarily[\r][\n]"
09:07:59,820 DEBUG header: << "HTTP/1.1 302 Moved Temporarily[\r][\n]"
09:07:59,822 DEBUG header: << "Server: Apache-Coyote/1.1[\r][\n]"
09:07:59,822 DEBUG header: << "Set-Cookie: JSESSIONID=252602345E1D71B624FF3706C0F99EDD; Path=/RESTAuthenticate[\r][\n]"
09:07:59,822 DEBUG header: << "Location: http://localhost:8080/RESTAuthenticate/login.htm;jsessionid=252602345E1D71B624FF3706C0F99EDD[\r][\n]"
09:07:59,822 DEBUG header: << "Content-Length: 0[\r][\n]"
09:07:59,823 DEBUG header: << "Date: Wed, 08 Dec 2010 16:07:59 GMT[\r][\n]"
09:07:59,823 DEBUG header: << "[\r][\n]"
09:07:59,838 DEBUG header: >> "GET /RESTAuthenticate/login.htm;jsessionid=252602345E1D71B624FF3706C0F99EDD HTTP/1.1[\r][\n]"
09:07:59,838 DEBUG header: >> "Accept: application/xml[\r][\n]"
09:07:59,838 DEBUG header: >> "User-Agent: Jakarta Commons-HttpClient/3.1[\r][\n]"
09:07:59,838 DEBUG header: >> "Host: localhost:8080[\r][\n]"
09:07:59,838 DEBUG header: >> "Cookie: $Version=0; JSESSIONID=252602345E1D71B624FF3706C0F99EDD; $Path=/RESTAuthenticate[\r][\n]"

[Luke Taylor]

You need to configure your client to pre-emptively send the authentication header, otherwise you will be redirected to the login form (unless you use a different AuthenticationEntryPoint).

[bh5k]

Luke, thanks for your responses. I see what you are saying, but I thought I was doing that. I threw together a simple login.jsp and the basic authentication works through that. I then went back and ran the stuff through commons http and no go.

This is my client code:

Code:

HttpClient httpClient = new HttpClient();

        Credentials defaultcreds = new UsernamePasswordCredentials(username,
                password);
        httpClient.getState().setCredentials(AuthScope.ANY, defaultcreds);

        HttpMethod httpMethod = new GetMethod(
                "http://localhost:8080/RESTAuthenticate/rest/employee/1.xml");
        httpMethod.setRequestHeader("Accept", acceptHeader);
        httpClient.executeMethod(httpMethod);
        String responseBody = new String(httpMethod.getResponseBody());
        httpMethod.releaseConnection();

I thought that the third line was in fact setting my credentials. Is it not?

[Luke Taylor]

They will probably only be presented if challenged by the server, but I don't know the details of the HttpClient API offhand. Check online, e.g. here.

[bh5k]

Got it! Sorry, I was a little slow on the uptake, I needed these lines:

HttpClientParams params = client.getParams( );
params.setAuthenticationPreemptive( true );