0

I am trying to use BASIC authentication using Spring security.

It works fine on Tomcat. (Prompts once, as expected.) But when I deployed on Weblogic 12c, it prompts the user/password dialog twice. The second dialog expects to enter the weblogic admin console user name password. Only if I enter these two credential its able to login.

Any suggestions please ?

web.xml

            <!DOCTYPE web-app PUBLIC
             "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
             "http://java.sun.com/dtd/web-app_2_3.dtd" >

            <web-app>
                <display-name>Archetype Created Web Application</display-name>

                <context-param>
                    <param-name>contextConfigLocation</param-name>
                    <param-value>/WEB-INF/spring-security.xml</param-value>
                </context-param>

                <filter>
                    <filter-name>springSecurityFilterChain</filter-name>
                    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
                </filter>

                <filter-mapping>
                    <filter-name>springSecurityFilterChain</filter-name>
                    <url-pattern>/*</url-pattern>
                </filter-mapping>

                <listener>
                    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
                </listener>

                <servlet>
                    <servlet-name>spring</servlet-name>
                    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
                </servlet>

                <servlet-mapping>
                    <servlet-name>spring</servlet-name>
                    <url-pattern>/</url-pattern>
                </servlet-mapping>
            </web-app>

spring-servlet.xml

            <beans xmlns="http://www.springframework.org/schema/beans"
                xmlns:context="http://www.springframework.org/schema/context"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">

                <context:component-scan base-package="com.jai.spring.security.controller" />
                <import resource="spring-security.xml" />

                <bean id="viewResolver"
                    class="org.springframework.web.servlet.view.InternalResourceViewResolver">
                    <property name="prefix" value="/" />
                    <property name="suffix" value=".jsp" />
                </bean>

            </beans>

spring-security.xml

            <beans:beans xmlns="http://www.springframework.org/schema/security"
                xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd 
                http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">

                <authentication-manager>
                    <authentication-provider>
                        <user-service>
                            <user name="jay" password="jay" authorities="ROLE_USER" />
                        </user-service>
                    </authentication-provider>
                </authentication-manager>

                <http create-session="stateless">
                    <intercept-url pattern="/**" access="ROLE_USER" />
                    <http-basic />
                </http>
            </beans:beans>
Jay
  • 9,189
  • 12
  • 56
  • 96
  • Which url are you invoking when it asks you for authentication? – Andres Jan 06 '14 at 17:28
  • where you deployed he application? admin server or another server – venergiac Jan 06 '14 at 17:28
  • @Andres I tried http://localhost:7001/securitybasic/hello and also http://localhost:7001/securitybasic both behaves the same way on weblogic. But both behaves correctly on Tomcat. – Jay Jan 06 '14 at 17:34
  • @venergiac I just have only Admin server and no other managed server. I deployed on Admin server. – Jay Jan 06 '14 at 17:35
  • 1
    bad idea...in production mode Admin server is reserved for admin...now create a dedicated server and try again – venergiac Jan 06 '14 at 17:37
  • On that case, wouldn't it be easier to start Weblogic on development mode? – Andres Jan 06 '14 at 17:51
  • Or in the case you have to use production mode, use the adapter? – Andres Jan 06 '14 at 17:52
  • 1
    Seems the request intercept by Spring and weblogic independently. the solution provided in this question http://stackoverflow.com/questions/2691160/spring-security-http-basic-authentication will work for you. – Mani Jan 06 '14 at 18:21
  • @venergiac Now I have setup a separate managed server and deployed on it. Still this issue remains. – Jay Jan 07 '14 at 11:54
  • @Andres My weblogic runs on Development mode. – Jay Jan 07 '14 at 11:56
  • @Mani Thanks Mani, it works now when I followed that link. – Jay Jan 07 '14 at 12:09

2 Answers2

2

Seems like you have to use an adapter:

As described in the Spring Security Reference, Container Adapters enable Spring Security to integrate directly with the containers used to host end user applications, in this case WebLogic Server.

The integration between a container and Spring Security is achieved through an adapter. The adapter provides a container-compatible user authentication provider, and needs to return a container-compatible user object.

applicationContext-acegi-security.xml is the configuration file for Spring security. For WebLogic Server, WeblogicAuthenticationFilter is added to the list of filters in applicationContext-acegi-security.xml. This filter is responsible for converting the Weblogic principals to Spring GrantedAuthority subjects, based on the mapper. The mapper is configured as a property for the WeblogicAuthenticationFilter, and it is injected at creation time.

http://docs.oracle.com/cd/E24329_01/web.1211/e24975/security.htm

Andres
  • 10,561
  • 4
  • 45
  • 63
0

Add the next code after section in the web.xml file:

<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Mike
  • 1
  • 2