Spring security 3 http-basic authentication-success-handler

Question

H i'm using spring security

for form-login i have

<http auto-config="true">
        <intercept-url pattern="/pages/**" access="ROLE_USER" />
        <form-login authentication-success-handler-ref="authenticationSuccessHandler" login-page="/login.html" default-target-url="/pages/index.html"
            always-use-default-target="true" authentication-failure-url="/login.html" />
        <logout logout-success-url="/login.html" invalidate-session="true" />
        <anonymous enabled='false'/>
</http>

here i can set an authentication-success-handler-ref, how can i add one to my basic authentication:

<http pattern="/REST/**" realm="REALM" entry-point-ref="authenticationEntryPoint">
    <intercept-url pattern="/**" access="ROLE_USER" />
    <http-basic  />
    <logout logout-url="/REST/logout" success-handler-ref="restLogoutSuccessHandler" />
</http>

i thought abour overriding BasicAuthenticationFilter, but how can i inject my cutom class for <http-basic />

holmis83 · Accepted Answer · 2017-07-25T08:08:33.337

You cannot set an authentication success handler for BASIC authentication. You can, however, extend BasicAuthenticationFilter and override onSuccessfulAuthentication method:

@Component("customBasicAuthFilter")
public class CustomBasicAuthFilter extends BasicAuthenticationFilter {

    @Autowired
    public CustomBasicAuthFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    protected void onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authResult) {
        // Do what you want here
    }
}

Inject it in your security configuration with something like:

<http entry-point-ref="basicEntryPoint">
  <custom-filter ref="customBasicAuthFilter" position="BASIC_AUTH_FILTER"/>
</http>
<authentication-manager alias="authenticationManager">
  ...
</authentication-manager>

Update: Or with Java config instead of XML:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .addFilterAt(customBasicAuthFilter, BasicAuthenticationFilter.class)
      .exceptionHandling().authenticationEntryPoint(basicEntryPoint);
}

Would it be possible to provide Java configuration for this XML? — , Jul 24 '17 at 17:06
When you do that you might want to disable httpBasic with `httpBasic().disable()`, or you will endup with two basic authentication filters. — lanoxx, Feb 19 '19 at 09:18
I ran in a problem with this solution. Path forwarding or redirecting is not possible from within the filter chain. — FishingIsLife, May 22 '19 at 12:18
How does that work? I get `No qualifying bean of type 'org.springframework.security.authentication.AuthenticationManager' available` — Yaniv K., Jan 15 '22 at 17:25

score 3 · Answer 2 · edited Jun 20 '14 at 07:44

3

As a workaround you can use http-basic in conjuction with form-login:

<http auto-config="true">
    ...
    <http-basic  />
    <form-login authentication-success-handler-ref="authenticationSuccessHandler" ... />
    ...
</http>

BasicAuthenticationFilter will work.

EDIT. If you want set up your overriden version of BasicAuthenticationFilter I think you need to:

Add it to filter chain at BASIC_AUTH_FILTER position as explained here
Set up corresponding BasicAuthenticationEntryPoint entry point via entry-point-ref attribute of http tag.

edited Jun 20 '14 at 07:44

Dani

3,744
4
27
35

answered May 24 '13 at 12:35

Maksym Demidas

7,707
1
29
36

hi with this i always get the loginform, and no authentication challange – wutzebaer May 24 '13 at 13:47
exactly, but basic auth must be used after form submit – Maksym Demidas May 24 '13 at 13:51
but i need the basic auth-challange on my /REST urls – wutzebaer May 24 '13 at 13:56
In this case try override BasicAuthenticationFilter. See my updated answer. – Maksym Demidas May 24 '13 at 14:32

score 2 · Answer 3 · answered Feb 20 '19 at 10:33

Instead of using an AuthenticationSuccessHandler you can rely on Spring Security's event mechanism and listen to AuthenticationSuccessEvent by using the ApplicationListener interface:

@Component
public class AuthenticationEventListener implements
    ApplicationListener<AuthenticationSuccessEvent>
{

    @Override
    public void onApplicationEvent (AuthenticationSuccessEvent event) {
       // do what you want here
       // example: persist event to the database
    }
}

See also this answer here: https://stackoverflow.com/a/11384001/474034

Spring security 3 http-basic authentication-success-handler

3 Answers3

Linked