Geek Answers Handbook

Entrypoint authentication is only sometimes called

I have a simple AuthenticationEntryPointone that should set the WWW-Authenticate header for unauthorized requests.

@Component
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
            throws IOException, ServletException {
        response.setHeader("WWW-Authenticate", "FormBased");
        response.sendError(401, authException.getMessage());
    }
}

I use it in one of the configure methods AuthorizationServerConfigurer

@Override
public void configure(AuthorizationServerSecurityConfigurer authorizationServerSecurityConfigurer) throws Exception {
    authorizationServerSecurityConfigurer.authenticationEntryPoint(authenticationEntryPoint);
}

This beginning method is not always called. It is called when the request does not have an Authorize header or when the value of the Authorize header does not start with "Basic". However, if the Authorize header begins with "Basic", the begin method is not called (but the response value Basic realm="oauth2/client"). How can I guarantee that this method will be called?

+4
source share
2 answers

AliDehghani, , BasicAuthenticationFilter BasicApplicationEntryPoint ApplicationEntryPoint, AuthorizationServerSecurityConfigurer. BasicAuthenticationFilter CustomApplicationEntryPoint, CustomBasicAuthenticationFilter @Autowire :

@Component
public class CustomBasicAuthenticationFilter extends BasicAuthenticationFilter {

    @Autowired
    public CustomBasicAuthenticationFilter(AuthenticationManager authenticationManager,
                                     AuthenticationEntryPoint authenticationEntryPoint) {
        super(authenticationManager, authenticationEntryPoint);
    }
}

configure AuthorizationServerConfigurer

@Override
public void configure(AuthorizationServerSecurityConfigurer authorizationServerSecurityConfigurer) throws Exception {
    authorizationServerSecurityConfigurer
            .authenticationEntryPoint(authenticationEntryPoint)
            .addTokenEndpointAuthenticationFilter(customBasicAuthenticationFilter);
}

CustomBasicAuthenticationFilter, BasicAuthenticationFilter. AuthenticationEntryPoint bean - CustomAuthenticationEntryPoint.

+4

, HTTP Basic:

Authorization: Basic Base64(client_id:client_secret)

. , "Basic". , "Basic", begin

Spring , , BasicAuthenticationFilter, . doFilterInteral mthod, :

if (header == null || !header.startsWith("Basic ")) {
    chain.doFilter(request, response);
    return;
}

Authorization, Authorization Basic, . AuthenticationException, ExceptionTranslationFilter, ExceptionTranslationFilter AuthenticationEntryPoint.

Basic Authorization, BasicAuthenticationFilter . , BasicAuthenticationFilter BasicAuthenticationEntryPoint, AuthenticationEntryPoint:

catch (AuthenticationException failed) {
    SecurityContextHolder.clearContext();

    if (debug) {
        this.logger.debug("Authentication request for failed: " + failed);
    }

    this.rememberMeServices.loginFail(request, response);

    onUnsuccessfulAuthentication(request, response, failed);

    if (this.ignoreFailure) {
        chain.doFilter(request, response);
    }
    else {
        this.authenticationEntryPoint.commence(request, response, failed);
    }

    return;
}
+2

More articles:


All Articles