0

I am using Spring Security 3 with REST endpoints. I managed to get a basic Spring Security working.

Part of the security-context.xml

<security:http auto-config="true" use-expressions="true" access-denied-page="/rest/denied" >
<security:intercept-url pattern="/rest/*" access="ROLE_USER"/>

and basic config as found on the web

<security:authentication-manager> 
      <security:authentication-provider user-service-ref="userDetailsService">
           <security:password-encoder ref="passwordEncoder"/>
     </security:authentication-provider>


<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"   id="passwordEncoder"/>

<!-- An in-memory list of users. No need to access an external database layer.
See Spring Security 3.1 Reference 5.2.1 In-Memory Authentication -->
  <!-- john's password is admin, while jane;s password is user  -->
  <security:user-service id="userDetailsService">
     <security:user name="john" password="21232f297a57a5a743894a0e4a801fc3"     authorities="ROLE_USER, ROLE_ADMIN" />
  <security:user name="jane" password="ee11cbb19052e40b07aac0ca060c23ee" authorities="ROLE_USER" />
</security:user-service>

I want to login to j_spring_security_check using a RestTemplate POST.

HttpEntity<String> entity = new HttpEntity<String>(request, headers);
            HashMap<String, String> map = new HashMap<String, String>();
            map.put("j_username", "john");
            map.put("j_password","21232f297a57a5a743894a0e4a801fc3");

            String response = restTemplate.postForObject("http://localhost:8080/rest/j_spring_security_check",  map, String.class);

but in the log, it seems the username parameter is not being read

DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
DEBUG o.s.s.a.d.DaoAuthenticationProvider - User '' not found
DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials

What is the correct way to get the REST Template to post auth credentials? Is there a better way to login in/ get authorized other than j_spring_security_check? Does the information go in the header?

Thanks in advance.

devl
  • 429
  • 6
  • 15

1 Answers1

1

This seems like a duplicate of another SO question. You are probably approaching this the wrong way, though. Typically if you are issuing a REST request you wouldn't be authenticating at the same time - this doesn't make any sense - certainly not using form POST style logic.

For authentication of REST requests you should be using another form of authentication (assuming these requests are generated programmatically): * HTTP Basic auth * X.509 certificates

OR if this is happening through an XHR / Javascript origin, you should be prepared to have the request fail and redirect the user to the login mechanism. Typically handling REST style requests with Spring Security is not at all the same as handling regular secured pages. You should be prepared for some amount of complexity.

Good luck!

Community
  • 1
  • 1
Peter Mularien
  • 2,578
  • 1
  • 25
  • 34
  • Thanks for the response, I did have a look at the other post, maybe I can try and take their approach. I'll take a look at X.509 which may work well. – devl Sep 28 '11 at 08:24