Reputation: 5715
Authentication for REST-Service with spring-security and Basic Auth
I am trying to implement Basic Authentication for my REST-Service with spring-security with the following requirements:
- Authorization is done by other parts of the app (so no roles in the filter chain)
- i want to configure everything with plain beans without any autoconfiguration
What confuses me is the fact that the BasicAuthenticationFilter does'nt without an "Authorization"-Header, so effictively allowing access for all requests without that header. I excepted such requests to throw an Exception and than redirecting to an/the authenticationEntryPoint .
My code is as follows:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<security:filter-chain pattern="/rest/**" filters="basicAuthenticationFilter,exceptionTranslationFilter" />
</list>
</constructor-arg>
</bean>
<bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
My assumption is, that i might need an filterSecurityInterceptor and following that one also an accessDecisionManager. I would not like to use those as it seems to me they care about Authorization (in contrast to Authentication) and i don't have any roles at this point of my application.
I just want to check for a correct username/password combination and react accordingly(401 or 403).
I guess i am missing something very basic, so any hints or help would be very much appreciated.
Upvotes: 1
Views: 1437
Answers (1)
Reputation: 22742
If there is no authorization (from Spring Security's perspective) then any requests are allowed and thus there is no need for authentication. So yes, you need a FilterSecurityInterceptor, even if it only makes a decision based on whether the user is authenticated or not.
You also need a SecurityContextPersistenceFilter at the start of the filter chain since, even if your application is stateless, the security context needs to be cleared at the end of each request.
You might find this article useful as it discusses plain bean configuration in more detail.
Upvotes: 2
Related Questions
- Basic REST Authentication in Spring Boot
- Rest basic authentication via spring security without form-login
- UserAuthorities in Basic Auth with Spring Security for REST API
- Spring Rest authentication
- Spring Security Rest Basic authentication
- Facing issues while implementing Spring Security with http-basic authentication for spring rest API
- Spring authentication through REST Service
- Spring authentication REST service programmatically
- Spring Security authenticating RESTful web service
- Spring Security based authentication for a REST service