Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security HTTP Basic Authentication

I am trying to do a really simple basic authentication with Spring Security. I have configured the namespace properly and there are no Exceptions in the server. In my "servlet.xml" I have got the next for Spring Security:

<security:http>
    <security:http-basic></security:http-basic>
    <security:intercept-url method="POST" pattern="/**" access="ROLE_USER" />
</security:http>


<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
        <security:user-service>
            <security:user name="cucu" password="tas" authorities="ROLE_USER" />
            <security:user name="bob" password="bobspassword" authorities="ROLE_USER" />
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

It nearly all goes perfect: The methods that are not POST doesn't prompt any login form, and the POST method prompt it. The problem is, that nor cucu, neither bob can login there. Can anyone see what am I doing wrong?

Thanks in advance! ;-)

like image 212
raspayu Avatar asked Apr 22 '10 13:04

raspayu


People also ask

What is HTTP basic authentication in Spring Security?

In case of HTTP basic authentication, instead of using a form, user login credentials are passed on the HTTP request header, precisely “Authorization” request header. This header allows you to send username and password into request headers instead of the request body, as is the case of form login authentication.

How do I enable HTTP security in Spring?

The first thing you need to do is add Spring Security to the classpath. The WebSecurityConfig class is annotated with @EnableWebSecurity to enable Spring Security's web security support and provide the Spring MVC integration.


2 Answers

Auto-answer

T_T Two days of hitting my head against the code for this...

Looks like it is not a problem of the code. I was using Weblogic with it and Weblogic captures the requests with the "authorization" header, so it doesn't get to my authentication-manager. I tried it with glassfish, and it works perfectly.

Searching for some info, I found an useful entry in the next blog: http://yplakosh.blogspot.com/2009/05/how-to-fix-basic-authentication-issue.html

Adding the next line in the config.xml from my Weblogic server(<security-configuration> section):

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

Weblogic will not catch the basic authentication credentials again, so it will be your authentication-manager who will handle it.

I hope it can save some time to anyone :-)

like image 197
raspayu Avatar answered Oct 19 '22 08:10

raspayu


try:

<http auto-config="true>
   <security:intercept-url method="POST" pattern="/**" access="ROLE_USER" />
   <http-basic />
</http>
like image 1
Gandalf Avatar answered Oct 19 '22 07:10

Gandalf