6

I was not able to find on SO the answer (e.g. here. Spring Security: Commence method in class extending BasicAuthenticationEntryPoint no being called)

I just want to override BasicAuthenticationEntryPoint without override other filters and other staff:

<bean id="authenticationEntryPoint" name="authenticationEntryPoint"
      class="com.myclass.BasicAuthenticationEntryPoint">
    <property name="realmName" value="myapp" />
</bean>

Unfortunately, it does not work and I need to configure filter.

<security:http auto-config="true" ..
<sec:custom-filter ref="basicAuthenticationFilter"
                                before="BASIC_AUTH_FILTER" />

</sec:http>

<bean id="basicAuthenticationFilter"
      class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <constructor-arg name="authenticationManager" ref="authenticationManager" />
    <constructor-arg name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>

Then I have this warning.

WARN 2015-10-29 09:44:05,330 [localhost-startStop-1::DefaultFilterChainValidator] [user:system] Possible error: Filters at position 2 and 3 are both instances of org.springframework.security.web.authentication.www.BasicAuthenticationFilter

Therefore I need to disable auto-config but I do not want to do it:

<security:http auto-config="false" ...

What is the simplest way to override BasicAuthenticationEntryPoint in SpringSecurity 4?

Community
  • 1
  • 1
Michael
  • 10,063
  • 18
  • 65
  • 104

2 Answers2

6

This works for me with Spring Security 3 (I think it should work for Spring 4), without configuring any filter :

public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {

    @Override
    public void commence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException) throws IOException, ServletException {

        response.setStatus( HttpServletResponse.SC_UNAUTHORIZED);
    }
}

Update :

CustomBasicAuthenticationEntryPoint is a Spring Bean. You have to tell Spring about it. Like in your post (I've just changed its name in my answer) : 

<bean id="authenticationEntryPoint" name="authenticationEntryPoint"
      class="com.myclass.CustomBasicAuthenticationEntryPoint">
    <property name="realmName" value="myapp" />
</bean>

You need also to tell Spring Security to use this bean as entry point instead of default one : 

<security:http entry-point-ref="authenticationEntryPoint" ...

Default configuration redirect the client to a login page when not authenticated. When you override this default behaviour, you only send a 401 code status (unauthenticated) and you don't redirect the client.

Bilal BBB
  • 1,154
  • 13
  • 20
  • Do you use any annotations? How it can work without a configuration? – Michael Nov 01 '15 at 11:13
  • Thank you for your help! I was able to configure authenticationEntryPoint at http element: `` Please note, that it configure authenticationEntryPoint of ExceptionTranslationFilter. To complete the solution I configured authenticationEntryPoint at http-basic element (configuration of BasicAuthenticationFilter) `` – Michael Nov 01 '15 at 12:29
  • You're welcome. I didn't configure any filter and it works for me. Glad it works. – Bilal BBB Nov 01 '15 at 12:51
  • It will not work if you will provide wrong credentials. – Michael Nov 01 '15 at 14:46
  • You need to override the SimpleUrlAuthenticationFailureHandler to handle authentication failure. – Bilal BBB Nov 01 '15 at 14:52
  • authentication-failure-handler-ref is configuration of authentication: https://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/html/appendix-namespace.html To configure BasicAuthenticationFilter you need to configure Please note that I know SpringSecurity pretty well just you point me to configuration that I missed (documentation of http-basic is missed). I have added the full answer below. – Michael Nov 02 '15 at 08:05
3

Full solution:

1) configure authenticationEntryPoint at http element:

<http entry-point-ref="authenticationEntryPoint" ...>
</http>

It configures authenticationEntryPoint of ExceptionTranslationFilter.

2) configure authenticationEntryPoint at http-basic element 

<http-basic entry-point-ref="authenticationEntryPoint"/>

It configures authenticationEntryPoint of BasicAuthenticationFilter

Michael
  • 10,063
  • 18
  • 65
  • 104