2

How can I configure a custom AuthenticationFailureHandler in Spring Security using Java-based configuration? I already have a SecurityConfig class which extends WebSecurityConfigurerAdapter and configures HTTP Basic Authentication using httpBasic(), but I can't figure out how to set the AuthenticationFailureHandler.

My real goal is to redirect to an external URL (login page) instead of returning a 401 response for some requests only (GET requests to certain URLs), so if there's another or better way to do that I'd like to know!

Improve this question

2 Answers 2

Reset to default
2

You have to pass it in failureHandler method.. chain can looks like this:

http.formLogin().failureHandler()

Seems that class provided by spring can help you with simple redirect:

http://docs.spring.io/autorepo/docs/spring-security/4.0.0.M2/apidocs/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.html

Hope it helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks freakman, and your answer is correct for formLogin() so I'm giving you an up-vote. Unfortunately, I didn't mention that I'm actually using HTTP Basic Authentication using httpBasic(). Really sorry for not mentioning that before. I will update my question.
not tried that before.. but take a look at http.httpBasic().authenticationEntryPoint(authEntryPoint). AuthEntryPoint example is BasicAuthenticationEntryPoint class - it's commence method returns unathorized http response. You can try to provide your class and use sendRedirect method from HttpServletResponse.
2

I used freakman's suggestion of creating a custom BasicAuthenticationEntryPoint class. Here is my code in case anyone else needs to do something similar:

// See https://github.com/spring-projects/spring-security/blob/3.2.x/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java
public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {
    private static Logger logger = loggerFactory.getLogger(CustomBasicAuthenticationEntryPoint.class);

    @Value("${crm.integration.sso.login.form.url}")
    private String loginFormUrl;

    /**
     * This method is called when authentication fails.
     */
    @Override
    public void commence(HttpServletRequest request,
            HttpServletResponse response, AuthenticationException authException)
            throws IOException, ServletException {
        String path = request.getRequestURI().substring(request.getContextPath().length());
        logger.info(String.format("CustomBasicAuthenticationEntryPoint.commence() - %s", path));
        if ("GET".equals(request.getMethod().toUpperCase())
                && path.startsWith("/manage")
        ) {
            response.sendRedirect(loginFormUrl);
        } else {
            super.commence(request, response, authException);
        }
    }

}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.