0

Idea: I want to protect every site of a Spring web MVC with a HTTP basic authentication, but want to redirect via error-page in case of a 40* or 500 server error to /welcome (Of course the user has to be authenticated or he will see the basic authentication dialog).

Problem: Every time I try to access the site, the basic authentication dialog pops up as expected. But when I cancel the dialog aka press cancel I land on the protected welcome page [and see all important/secured information] - no basic authentication dialog!

Sample controller:

@Controller
public class WelcomeController
{
    // Welcome is a protected site!
    @RequestMapping(value = {"/", "/welcome"}, method = RequestMethod.GET)
    public ModelAndView welcome()
    {
        return new ModelAndView("welcome");
    }
}

Security configuration:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
{
    @Override
    protected void configure(HttpSecurity security) throws Exception
    {
        // Set the security settings
        security.httpBasic().and().authorizeRequests().anyRequest().authenticated().and().csrf();
    }
}

web.xml:

<?xml version="1.0" encoding="UTF-8"?>
    ... Snipped ...
    <servlet-mapping>
        <servlet-name>testapp</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
    <error-page>
        <error-code>400</error-code>
        <location>/welcome</location>
    </error-page>
    <error-page>
        <error-code>401</error-code>
        <location>/welcome</location>
    </error-page>
    <error-page>
        <error-code>403</error-code>
        <location>/welcome</location>
    </error-page>
    <error-page>
        <error-code>404</error-code>
        <location>/welcome</location>
    </error-page>
    <error-page>
        <error-code>500</error-code>
        <location>/welcome</location>
    </error-page>
</web-app>
Improve this question
1
  • Did you find a solution ? Commented Dec 11, 2015 at 16:11

1 Answer 1

Reset to default
1

I also had to implement the same setup for a customer. Additionally we had a web application firewall in front of our application server.

I still don't know how Tomcat ignored the authentication check of Spring. The important part is not to mess around with 401, 402 and 403 HTTP codes (I removed their handlers from the web.xml)

I ended up with a generic error page. It's discussable if you should handle 500 errors yourself. If your system throws a 500 error, you might be unable to handle it because your system just threw the 500 error and you will run into another 500 error during the error processing process --> Use simple model and views, static HTML sites or redirect to an error handler servlet.

Spring security:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
{
    @Override
    protected void configure(HttpSecurity security) throws Exception
    {
        // Set the security settings
        security.httpBasic().and().authorizeRequests().anyRequest().authenticated().and().csrf();
    }
}

web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1">
        <!-- Snipped -->
    <error-page>
        <error-code>404</error-code>
        <location>/error</location>
    </error-page>
</web-app>

404 error action:

@Controller
public class ErrorController
{
    @RequestMapping(value = "/error", method = RequestMethod.GET)
    public ModelAndView addresses()
    {
        return new ModelAndView("error"); // Or redirect to /welcome
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.