0

I have an application which needs 2 security http tags to be deployed in weblogic 10.3.6 server, Spring Framework 3.1.2 & spring-security-3.1.2 version: 1, Form-based-Login: for direct logging in by users using login page. 2. Basic Authentication: Rest WebService calls.

I have added FORM_BASED_LOGIN successfully.-THIS works fine

Appreciate any direction for BASIC Auth for REST WebServices. For Basic Authentication : Weblogic pops-up an additional pop-up where I have to enter the credentials of weblogic console.

To fix this I have found 2 approaches: 1. Updating the server config.xml file with the below tag:

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

Reference: Spring Security HTTP Basic Authentication

  1. Adding an adapter and applicationContext-acegi-security.xml and WeblogicAuthenticationFilter

I like to do the 2nd approach as it does not involve any changes to server configuration. It would be great if any one could point me in the right direction or an example to achieve this.

Reference: http://docs.tpu.ru/docs/oracle/en/fmw/11.1.1.6.0/web.1111/e14453/security.htm

Update : Adding my current spring-security configuration:

    <http create-session="stateless" entry-point-ref="basicAuthEntryPoint" pattern="/api/**" use-expressions="true">
    <intercept-url pattern="/api/listbyorderid" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    <intercept-url pattern="/api/listbycustomerid" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    <custom-filter ref="basicAuthenticationFilter" after="BASIC_AUTH_FILTER" />

   </http>

    <http auto-config="false" use-expressions="true" access-denied-page="/security/denied" entry-point-ref="authenticationEntryPoint">
    <intercept-url pattern="/security/login" access="permitAll" />
    <intercept-url pattern="/layouts/*" access="permitAll"/>
    <intercept-url pattern="/tiles/*"  access="permitAll"/>
    <intercept-url pattern="/jquery/*"  access="permitAll"/>
    <intercept-url pattern="/css/*"  access="permitAll"/>
    <intercept-url pattern="/admin/css/*"  access="permitAll"/>
    <intercept-url pattern="/admin/images/*"  access="permitAll"/>
    <intercept-url pattern="/admin/ico/*"  access="permitAll"/>
    <intercept-url pattern="/admin/jquery/*"  access="permitAll"/>

    <logout invalidate-session="true" logout-url="/j_spring_security_logout"  success-handler-ref="logoutSuccessHandler" delete-cookies="JSESSIONID"/>
    <!-- Custom filter to deny unwanted users even though registered -->
    <custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR" />

    <!-- Custom filter for username, password and domain. The real customization is  done in the customAuthenticationManager -->
    <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />

    </http>

Thanks in Advance.

Community
  • 1
  • 1
John
  • 121
  • 6
  • 18

1 Answers1

0

Spring Security supports this out of the box. You can take a look at helloworld-jc for a Java Based Configuration or helloworld-xml for an xml based configuration. Given you are on servlet 2.5 with weblogic 10.3.6 you will want to use the XML sample.

Rob Winch
  • 21,440
  • 2
  • 59
  • 76
  • I should have mentioned earlier that my environment of Spring Framework and spring-security version is 3.1.4. The example uses 4.0.1.RELEASE. – John Jul 18 '15 at 00:12
  • I am looking for configuration for Basic Authentication for REST WebService calls for specified URL's as mentioned in the question. – John Jul 20 '15 at 21:26