1

I am trying to use basic spring security but can't login with any of the two users I setup. It always comes back with "Error 401--Unauthorized"

I have the three following libraries installed for security:

spring-security-config-3.2.0.RELEASE.jar
spring-security-core-3.2.0.RELEASE.jar
spring-security-web-3.2.0.RELEASE.jar

The SPRING-SECURITY.XML file contains the following. 

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<http auto-config="true">
    <intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
    <http-basic />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="admin" password="admin"
                authorities="ROLE_USER, ROLE_ADMIN" />
            <user name="test" password="test"
                authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>
</beans:beans>

The WEB.XML file contains the following.

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>
    <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
John Kerry
  • 41
  • 5
  • Instead of guessing, setup a logger and log `org.springframework.security` on debug level. It will tell you what went wrong and make it easier to understand to problem. If still in doubt add the the log of the full request to your question. – Bart May 29 '14 at 19:24

4 Answers4

3

Issue was in weblogic and NOT configuration.

Solution: The only solution I have found to resolve the issue is to add:

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

into the config.xml file:

<security-configuration>
...
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
</security-configuration>

This configuration will resolve the issue.

References

Spring Security HTTP Basic Authentication

http://yplakosh.blogspot.com/2009/05/how-to-fix-basic-authentication-issue.html

Community
  • 1
  • 1
John Kerry
  • 41
  • 5
2

This is because you secure all the pages, including login page itself. Probably, you also have misconfigured dispatcher servlet and all JSP pages are protected by Spring Security.

Slava Semushin
  • 14,904
  • 7
  • 53
  • 69
  • 1
    I want to secure all pages. If the user is not authorized it pop's up a HTTP basic login form. Just as the following. http://www.mkyong.com/wp-content/uploads/2011/08/spring-security-http-basic.png – John Kerry May 28 '14 at 15:10
1

In general, I think you should remove auto-config="true" This effectively enables http basic+form login, where the login page cannot be loaded because you secure even the login page. This normally should lead to a redirect error.

The 401 Unauthorized error I think might be caused by your browser sending incorrect credentials, which are stored in its cache. Try emptying your username/password cache or using a different browser.

Nils
  • 1,750
  • 14
  • 10
  • I removed the auto-config="true" and tried clearing cache + used a different browser. But no avail. Not sure if it is weblogic that needs to be configured. – John Kerry May 28 '14 at 19:21
1

There are two options to try

Option 1:

Remove the space after "," in access attribute 

<http>
    <intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
    <http-basic />
</http>

Options 2:

Use SpEL expression as below

<http use-expressions="true">
    <intercept-url pattern="/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
    <http-basic />
</http>
Kalyan
  • 1,781
  • 11
  • 15
  • Thank you, but still nothing. :( – John Kerry May 29 '14 at 19:30
  • Did you try with 'test' user? Both options not working? – Kalyan May 29 '14 at 19:40
  • 1
    So funny thing, I took out and it works, it loads a basic login form that spring generates. Seems to be an issue with spring and weblogic. I am going to try this a fix I found and apply it. http://stackoverflow.com/questions/2691160/spring-security-http-basic-authentication – John Kerry May 29 '14 at 20:15
  • Thank you for your help, you taught me the use-expression="true" – John Kerry May 30 '14 at 18:10