17

I am trying to create a restful web service that will be used by other web services. Ideally, when a client access the service, and isn't authenticated, they should get a 401. I want a user to be able to authenticate by adding an authentication header to the request. I don't want the user to fill out a login form, and post that. I also don't want it to store any login credentials in a cookie (ie keeping state) it should all be in the auth header send with each request. I have used spring roo to create the web service.

What I have currently, (taken from one of the spring security 3.1 tutorials), when the user gets a 401, they are promted with a login page, and then post the page, getting a cookie that they send with each request.

Here is my spring security xml.

 <http use-expressions="true">
   <intercept-url pattern="/customers/**" access="isAuthenticated()" />
 <intercept-url pattern="/**" access="denyAll" />
<form-login />
 </http>
<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="alice" password="other" authorities="user" />
            <user name="custome1" password="other" authorities="user" />
        </user-service>
    </authentication-provider>
</authentication-manager>

When I send a request from curl, i get the following:

 $ curl -i -H "Accept: application/json" -H "Authorization: Basic Y3VzdG9tZXIxOm90aGVy" http://localhost:8080/Secured/customers

 HTTP/1.1 302 Found
 Server: Apache-Coyote/1.1
 Set-Cookie: JSESSIONID=B4F983464F68199FA0160DBE6279F440; Path=/Secured/; HttpOnly
 Location:      http://localhost:8080/Secured/spring_security_login;jsessionid=B4F983464F68199FA0160DBE6279F440
 Content-Length: 0
 Date: Thu, 25 Apr 2013 17:18:48 GMT

where my basic header token is base64(customer1:other)

How can I get the web service to accept the auth header, and not redirect me to a login page?

When I remove the from security.xml, I get the following:

excpetion:org.springframework.beans.factory.parsing.BeanDefinitionParsingException:
    Configuration problem: No AuthenticationEntryPoint could be established.
    Please make sure you have a login mechanism configured through the namespace
    (such as form-login) or specify a custom AuthenticationEntryPoint with the
    'entry-point-ref' attribute
Improve this question

3 Answers 3

Reset to default
9

I needed to remove <form-login> and add <http-basic>. Also added create-session-"stateless" to my config.

 <http use-expressions="true" create-session="stateless" >
     <intercept-url pattern="/customers/**" access="isAuthenticated()" />
     <intercept-url pattern="/**" access="denyAll" />
     <http-basic/>
 </http>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

8

Here is an example non-xml configuration for Rest authentication or with form or with basic whatever needed:

.and().httpBasic();

does the magic! ))

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/someurl").hasRole("ADMIN")
            .antMatchers("/anotherurl").hasRole("USER")
            .antMatchers("/", "main").permitAll().anyRequest().authenticated()
            .and()
            .httpBasic();

        http.formLogin()
            .loginPage("/login").permitAll()
            .and()
            .logout().permitAll();
    }
...
}
Improve this answer

1 Comment

The ask was for a non formLogin implementation. There should be a way to send just email and password as JSON and authenticate as formLogin does.
0

follow this test demo of jax-rs with spring security http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security/

this is simple approach for authentication without promoting credentials.

you may go with implementing RequestHandler and overriding 

public Response handleRequest(Message message, ClassResourceInfo resourceClass);

follow : http://cxf.apache.org/docs/secure-jax-rs-services.html for complete set of approach.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.