Spring Security HTTP Basic Authentication

Question

I am trying to do a really simple basic authentication with Spring Security. I have configured the namespace properly and there are no Exceptions in the server. In my "servlet.xml" I have got the next for Spring Security:

<security:http>
    <security:http-basic></security:http-basic>
    <security:intercept-url method="POST" pattern="/**" access="ROLE_USER" />
</security:http>


<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
        <security:user-service>
            <security:user name="cucu" password="tas" authorities="ROLE_USER" />
            <security:user name="bob" password="bobspassword" authorities="ROLE_USER" />
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

It nearly all goes perfect: The methods that are not POST doesn't prompt any login form, and the POST method prompt it. The problem is, that nor cucu, neither bob can login there. Can anyone see what am I doing wrong?

Thanks in advance! ;-)

Sorry, I think I should be more descriptive. The problem is that I get an 401 unauthorized even when I use for login those two users. Thanks for your time, Gandalf ;-) — raspayu, Apr 23 '10 at 07:08
Your question served as maybe the clearest, concise example of configuring HTTP basic auth that I could quickly google. +1 for that :) — Jonik, Apr 17 '13 at 07:49

raspayu · Accepted Answer · 2017-03-08T01:20:23.163

26

Auto-answer

T_T Two days of hitting my head against the code for this...

Looks like it is not a problem of the code. I was using Weblogic with it and Weblogic captures the requests with the "authorization" header, so it doesn't get to my authentication-manager. I tried it with glassfish, and it works perfectly.

Searching for some info, I found an useful entry in the next blog: http://yplakosh.blogspot.com/2009/05/how-to-fix-basic-authentication-issue.html

Adding the next line in the config.xml from my Weblogic server(<security-configuration> section):

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

Weblogic will not catch the basic authentication credentials again, so it will be your authentication-manager who will handle it.

I hope it can save some time to anyone :-)

edited Mar 08 '17 at 01:20

answered Apr 23 '10 at 08:30

raspayu

5,089
5
37
50

5

Thank you very much for posting this solution. I just started running into this issue and found your post after searching Goolgle. – Justin Kredible Nov 17 '10 at 16:08
Hehe, I am really happy for having helped to save you some time ;-) – raspayu Nov 18 '10 at 13:20
It seems that the issue is still true as of 2019. – Nice Books Sep 27 '21 at 10:57

score 1 · Answer 2 · answered Apr 22 '10 at 14:35

1

try:

<http auto-config="true>
   <security:intercept-url method="POST" pattern="/**" access="ROLE_USER" />
   <http-basic />
</http>

answered Apr 22 '10 at 14:35

Gandalf

9,648
8
53
88

Thanks for the advice. I Tryed also with the auto-config in true, but I think I am missing something else... but don't know what. I think my code is really simple, there should not be problems with that. – raspayu Apr 22 '10 at 15:38

Spring Security HTTP Basic Authentication

2 Answers2

Linked