问题
I am using spring basic authentication with the following settings in my security xml:
<http use-expressions="true" create-session="never" >
<intercept-url pattern="/**" method="GET" access="isAuthenticated()" />
<intercept-url pattern="/**" method="POST" access="isAuthenticated()" />
<intercept-url pattern="/**" method="PUT" access="isAuthenticated()" />
<intercept-url pattern="/**" method="DELETE" access="isAuthenticated()" />
<http-basic />
</http>
If authentication fails, the browser pop ups a prompt window to renter the user name and password. Is there any way to make that prompt not pop up at all ?
回答1:
Most probable the page that is used for authentication failure is also protected. You can try manually to set the failure page to one that is not protected like
<access-denied-handler error-page="/login.jsp"/>
together with
<intercept-url pattern="/*login*" access="hasRole('ROLE_ANONYMOUS')"/>
or
<intercept-url pattern='/*login*' filters='none'/>
or you can use the auto-config='true' attribute of the http element that will fix that for you.See more here
回答2:
I have also had the same problem for the REST API throwing login dialog in the browser. As you have told , when the browser sees the response header as
WWW-Authenticate: Basic realm="Spring Security Application
It will prompt with a basic authentication dialog.For REST API based login , this is not ideal. Here is how I did it.Define a custom authentication entry point and in the commence set the header as "FormBased"
response.setHeader("WWW-Authenticate", "FormBased");
application-context.xml configuration below
<security:http create-session="never" entry-point-ref="authenticationEntryPoint" authentication-manager-ref="authenticationManager">
<security:custom-filter ref="customRestFilter" position="BASIC_AUTH_FILTER" />
<security:intercept-url pattern="/api/**" access="ROLE_USER" />
</security:http>
<bean id="authenticationEntryPoint" class="com.tito.demo.workflow.security.RestAuthenticationEntryPoint">
</bean>
Custom entry point class below.
@Component
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
private static Logger logger = Logger.getLogger(RestAuthenticationEntryPoint.class);
public void commence( HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException ) throws IOException {
logger.debug("<--- Inside authentication entry point --->");
// this is very important for a REST based API login.
// WWW-Authenticate header should be set as FormBased , else browser will show login dialog with realm
response.setHeader("WWW-Authenticate", "FormBased");
response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
}
}
Note: I have used spring 3.2.5.Release
Now when the rest API is hit from a restclient like POSTMAN , the server will return 401 Unauthorized.
回答3:
I have faced the same issue and what I did is create a custom RequestMatcher in my resource server. This prevents Outh2 from sending WWW-Authenticate header.
Example:
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatcher(new OAuthRequestedMatcher())
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS).permitAll()
.anyRequest().authenticated();
}
private static class OAuthRequestedMatcher implements RequestMatcher {
public boolean matches(HttpServletRequest request) {
String auth = request.getHeader("Authorization");
boolean haveOauth2Token = (auth != null) && auth.startsWith("Bearer");
boolean haveAccessToken = request.getParameter("access_token")!=null;
return haveOauth2Token || haveAccessToken;
}
}
来源:https://stackoverflow.com/questions/10348179/spring-security-3-0-basic-auth-prompt-disappear