Reputation: 7789
Custom AuthenticationProvider is not called
I want to have a basic auth-protected REST app. I followed the general instructions from http://www.baeldung.com/spring-security-authentication-provider in order to get the security working.
I ended up creating my implementation of AuthenticationProvider, but it never gets called by Spring. All requests end up with an error:
{"timestamp":1460199213227,"status":401,"error":"Unauthorized","message":"Full authentication is required to access this resource","path":"/test"}
without the AuthenticationProvider ever doing anything.
The app is annotation-based and here are the relevant bits:
Security setup
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
CustomAuthenticationProvider authenticationProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authenticationProvider(authenticationProvider)
.authorizeRequests()
.anyRequest().authenticated().and().httpBasic();
}
}
AuthenticationProvider
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired
private UserDAO userDAO;
@Autowired
private Authenticator authenticator;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
// This never gets called, I checked with debugger
String username = authentication.getName();
String password = authentication.getCredentials().toString();
User user = userDAO.findByUsername(username);
User authenticatedUser = authenticator.authenticate(user, password);
if (authenticatedUser == null){
throw new RESTAuthenticationException("Auth failed");
}
List<GrantedAuthority> authorityList = new ArrayList<>();
return new UsernamePasswordAuthenticationToken(user, authorityList);
}
@Override
public boolean supports(Class<?> aClass) {
return aClass.equals(UsernamePasswordAuthenticationToken.class);
}
}
Controller
@RestController
public class UserController {
@RequestMapping(value = "/test")
public ResponseEntity test(@AuthenticationPrincipal User user) {
return ResponseEntity.ok().body(user);
}
}
Upvotes: 6
Views: 3894
Answers (1)
Reputation: 28706
You receive a response with status code 401. This is the "unauthorized" http status code. It is probably caused by a missing/malformed Authorization header in your request.
You are using Http-Basic: it requires the following header in the request :
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
where the string QWxhZGRpbjpPcGVuU2VzYW1l is the string <user>:<password> base64 encoded.
Upvotes: 4
Related Questions
- No AuthenticationProvider found with Adding new AuthenticationProvider
- Implement custom AuthenticationProvider in Spring Security 2.06
- Custom authentication provider not working
- Customize Spring Security for trusted space
- Security configuration with Spring-boot
- Spring boot security consider case insensitive username check for login
- java spring security, if login user is disabled, how to know password is wrong or not
- Spring Security WebSecurityConfigurerAdapter: AuthenticationManagerBuilder - override configure method or autowire globalUserDetails?
- Authentication of users by authenticationProvider from spring security through ReST API Call
- How to pass custom creds to spring boot ldap