How to do authorization with basic authentication

**tcollins** · Aug 26th, 2004, 05:36 PM

If I use Acegi-handled BASIC authentication, what type of Acegi authorization should I use.

Would the authorization be handled by a completely different servlet filter?
If so, which filter?
What are my options?

Should I use a SecurityEnforcementFilter and a FilterSecurityInterceptor so I can reference an "accessDecisionManager" to handle my authorization?

If I do this, that means I'll use three servlet filters. One for the basic authentication, one for the AutoIntegrationFilter and one for the SecurityEnforcementFilter.
I'm I correct?

If I'm even close to correct, would the FilterSecurityInterceptor's authenticationManager know it's already been authenticated by the basic authentication's filter?

Also, can I use the AuthenticationProcessingFilterEntryPoint with basic authentication.

Thanks :!:

**Ben Alex** · Aug 26th, 2004, 06:22 PM

Take a look at http://forum.springframework.org/showthread.php?t=9933 which talks about the two authentication "layers". To perform BASIC authentication you need to:

- Use BasicProcessingFilter in web.xml and the application context
- Use SecurityEnforcementFilter in web.xml and the application context
- Add BasicProcessingFilterEntryPoint to your application context
- Ensure the basicProcessingFilter.entryPoint and securityEnforcementFilter.entryPoint both point to the basicProcessingFilterEntryPoint

The "entryPoint" is the link which allows you to plug a different authentication credentials collection strategy in. If you wanted to use form authentication, you'd use the AuthenticationProcessingFilterEntryPoint. If you wanted to use CAS authentication, you'd use the CasProcessingFilterEntryPoint etc.

**tcollins** · Aug 26th, 2004, 11:08 PM

Thanks so much for the help!

I have a few more questions. Nothing was happening when I first tried this, so I started to debug and found that the...

Code:

String header = httpRequest.getHeader&#40;"Authorization"&#41;;

...in the BasicProcessingFilter.doFilter() method was null, because the "Authorization" header was not in the header. So I extended BasicProcessingFilter.doFilter(), just to see if I could get something to work for me.

Code:

public void doFilter&#40;ServletRequest request, ServletResponse response, FilterChain chain&#41; throws IOException,
            ServletException &#123;       

        // Call the parent's doFilter&#40;&#41;
        super.doFilter&#40;request, response, chain&#41;;
       
        HttpServletRequest httpRequest = &#40;HttpServletRequest&#41; request;
        
        String header = httpRequest.getHeader&#40;"Authorization"&#41;;

        log.info&#40;"Authorization header&#58; " + header&#41;;

        if &#40;header == null&#41; &#123;
            log.info&#40;"Header was null... calling EntryPoint.commence&#40;&#41;"&#41;;
            super.getAuthenticationEntryPoint&#40;&#41;.commence&#40;request, response&#41;;
        &#125;
&#125;

All I did was call commence on the entry point if the "Authorization" header value was null. This seemed to work. So now I'm wondering why the server didn't put the "Authorization" header in there in the first place? I'm sure I'm missing something.

Also, what is the typical stratagy for logging a user off?

Thanks :!:

**Ben Alex** · Aug 27th, 2004, 03:42 AM

The SecurityEnforcementFilter is included because it detects any lower-level Acegi Security exceptions. Specifically, if a security-related exception is detected, and the user is not logged in, the entry point will be commenced. In the case of BASIC authentication, this causes the response to contain a "please authenticate" header, which the browser responds to. If on the other hand a user is actually logged in when a security-related exception is detected, a 403 (forbidden) is returned.

The preferred way of using Acegi Security is to put your protected content under a /secure/* or some other URI. Then have the filter security interceptor "protect" it, causing the SecurityEnforcementFilter to cause the entry point to commence when required.

If for some reason you don't want to do this, you'll need to modify code as per your example or take advantage of client features which cause the BASIC authentication header to always be present, even if the server hasn't specifically asked for it. The Spring remoting client proxies are an example of this.

AFAIK there is no "logout" option for BASIC authentication, as browsers will continue to present the credentials throughout the session. Take a look at http://www.caucho.com/support/resin-...0306/0122.html for some more info on this issue.

**Sinister** · May 15th, 2006, 09:38 AM

Originally Posted by Ben Alex

The SecurityEnforcementFilter is included because it detects any lower-level Acegi Security exceptions. Specifically, if a security-related exception is detected, and the user is not logged in, the entry point will be commenced. In the case of BASIC authentication, this causes the response to contain a "please authenticate" header, which the browser responds to. If on the other hand a user is actually logged in when a security-related exception is detected, a 403 (forbidden) is returned.

The preferred way of using Acegi Security is to put your protected content under a /secure/* or some other URI. Then have the filter security interceptor "protect" it, causing the SecurityEnforcementFilter to cause the entry point to commence when required.

If for some reason you don't want to do this, you'll need to modify code as per your example or take advantage of client features which cause the BASIC authentication header to always be present, even if the server hasn't specifically asked for it. The Spring remoting client proxies are an example of this.

AFAIK there is no "logout" option for BASIC authentication, as browsers will continue to present the credentials throughout the session. Take a look at http://www.caucho.com/support/resin-...0306/0122.html for some more info on this issue.

Ben,
I have faced more serious problem with BasicAuthenticationFilter (Acegi-1.0RC2). Except those described in previous posts (browser does not request for credentials), I am facing:
java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession (Request.java:2195) at
whilst trying to add code like this:
if (header == null) {
authenticationEntryPoint.commence(request, response, new AuthenticationCredentialsNotFoundException("There is no authorization section in the request's header."));
}
but you are using completely the same call for "commence" in code below:
if (ignoreFailure) {
chain.doFilter(request, response);
} else {
authenticationEntryPoint.commence(request, response, failed);
}

Thread: How to do authorization with basic authentication

Thread Tools

Display

How to do authorization with basic authentication

Similar Threads

Problem with stylesheet in acegilogin.jsp page

Loosing my SecureContext

accessing protected resource from Excel via WinHTTP

Unable to set BASIC authentication header

Method call why not be intercepted by MethodSecurityIntercep

Posting Permissions