Spring security without form login

Question

I have implemented Spring Security Expression in my application Spring controller:

@Controller
@RequestMapping("init")
public class InitController {
    @PreAuthorize("hasRole('ROLE_ADMIN')")
    @RequestMapping(value = "/", method = RequestMethod.GET)
    public @ResponseBody String home(){
        return "This is the init page";
    }
}

With this security configuration:

<http auto-config="true" create-session="stateless" use-expressions="true">
    <intercept-url pattern="/_ah*" access="permitAll" />
    <intercept-url pattern="/init/*" access="hasRole('ROLE_ADMIN')"/>
    <intercept-url pattern="/init*" access="hasRole('ROLE_ADMIN')"/>
</http>

When this resource is accessed the the default Spring login form is displayed (http://localhost:8888/spring_security_login) however I don't want this to happen and that I just want to have the credentials to be inserted in the request header like "x-authorization-key" or whatever that fits the scenario.

What is the possible solution for this?

• Is it a good to just have the x-authorization-key to be in the request
• If so, how does it fit with the Spring security mechanism, that is how that it fit with the "hasRole" expression
• It is important the the my web service is stateless, and each request gets authenticated
• Finally, how to do deal with Spring security without having to deal with the Spring login form

header

Answer 1

You should probably read the description on what auto-config does, then remove it to disable form-login. Your configuration will be clearer if you specifically configure what you want to use.

It's not clear from your question what you want to be included in the x-authorization-key header. If you are just authenticating with a client Id and shared secret then you might as well use basic authentication since it is already supported out of the box and you can just add <http-basic /> to your configuration. If you have something more customized in mind, then you will probably have to implement a custom filter and add it to the Spring Security filter chain to extract the credentials and process them.

How your authentication mechanism fits is also dependent on what it actually consists of. Normally your users will have assigned roles which are loaded when they authenticate, usually from a database of some kind. The hasRole expression simply checks whether the current user has the specified role. Often you will only need to create a UserDetailsService which loads your user information in a standard format which is easily plugged into the framework. This is covered at length elsewhere. If you really need something more customized this blog article on GAE integration includes details of how you might go about integrating with a more complicated system.

Spring Security will not create or use a session if you use create-session='stateless'.

P.S. You don't really need to include the same security attributes both at the URL level and on your controller which handles the same URL.