Spring MVC REST + Spring Security + Basic Authentication -


environment :

spring 4.1

spring security 4.0

issue :

i developing simple rest service using spring 4.1. , using spring security authentication purpose. using http basic authentication.

the issue , basic authentication not working after configuration correct. using postman send request server. rest client can call rest controller method without authorization header. method gets executed without authentication error.

since using tomcat 6 , not using servlet 3.0 features , web.xml exist. method level security has been implemented using @secured annotation on rest controller layer.

can please going wrong ?

code :

web.xml :

<web-app>     <display-name>archetype created web application</display-name>      <listener>         <listener-class>org.springframework.web.context.contextloaderlistener</listener-class>     </listener>     <listener>         <listener-class>org.springframework.web.context.request.requestcontextlistener</listener-class>     </listener>       <context-param>         <param-name>contextconfiglocation</param-name>         <param-value>/web-inf/mvc-dispatcher-servlet-security.xml</param-value>     </context-param>      <servlet>         <servlet-name>mvc-dispatcher</servlet-name>         <servlet-class>org.springframework.web.servlet.dispatcherservlet</servlet-class>         <init-param>             <param-name>contextconfiglocation</param-name>             <param-value>/web-inf/mvc-dispatcher-servlet.xml</param-value>         </init-param>                <load-on-startup>1</load-on-startup>     </servlet>     <servlet-mapping>         <servlet-name>mvc-dispatcher</servlet-name>         <url-pattern>/</url-pattern>     </servlet-mapping>      <filter>         <filter-name>springsecurityfilterchain</filter-name>         <filter-class>org.springframework.web.filter.delegatingfilterproxy</filter-class>     </filter>      <filter-mapping>         <filter-name>springsecurityfilterchain</filter-name>         <url-pattern>/*</url-pattern>         <dispatcher>forward</dispatcher>         <dispatcher>request</dispatcher>           </filter-mapping>  </web-app> 

mvc-servlet-dispatcher-security.xml :

<?xml version="1.0" encoding="utf-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security"     xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"     xmlns:beans="http://www.springframework.org/schema/beans"     xsi:schemalocation="         http://www.springframework.org/schema/security          http://www.springframework.org/schema/security/spring-security-4.0.xsd         http://www.springframework.org/schema/beans          http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">      <http use-expressions="true" create-session="stateless">         <http-basic/>        <csrf disabled="true"/>      </http>      <global-method-security secured-annotations="enabled"/>      <authentication-manager>         <authentication-provider>             <user-service>                 <user name="xyz" password="12345" authorities="role_user" />             </user-service>         </authentication-provider>     </authentication-manager>  </beans:beans> 

mvc-dispatcher-servlet.xml :

<beans xmlns="http://www.springframework.org/schema/beans"     xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:tx="http://www.springframework.org/schema/tx"     xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context"     xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">      <!-- specifying base package of components controller, service, dao -->     <context:component-scan base-package="org.ngo" />     <!-- getting database properties -->     <context:property-placeholder location="classpath:application.properties"/>      <mvc:annotation-driven/>      <bean id="datasource" class="org.springframework.jdbc.datasource.drivermanagerdatasource">         <property name="driverclassname" value="${jdbc.driverclassname}" />         <property name="url" value="${jdbc.url}" />         <property name="username" value="${jdbc.username}" />         <property name="password" value="${jdbc.password}" />     </bean>      <bean id="sessionfactory"         class="org.springframework.orm.hibernate4.localsessionfactorybean">         <property name="datasource">             <ref bean="datasource" />         </property>         <property name="hibernateproperties">             <props>                 <prop key="hibernate.dialect">org.hibernate.dialect.mysqldialect</prop>                 <prop key="hibernate.show_sql">true</prop>                           </props>         </property>         <property name="packagestoscan" value="org.ngo.abhishek.entity"></property>     </bean>      <!-- transaction -->     <bean id="transactionmanager"         class="org.springframework.orm.hibernate4.hibernatetransactionmanager">         <property name="sessionfactory" ref="sessionfactory" />     </bean>      <tx:annotation-driven transaction-manager="transactionmanager" /> </beans> 

the rest controller :

@restcontroller @requestmapping("/abhishek") public class abhishekcontroller {      @autowired     private abhisheskservice abhishekservice;      @requestmapping(method=requestmethod.post,consumes="application/json")     @secured("role_user")     public responseentity<boolean> getuserbyid(@requestbody list<abhishekdto> abhishekdtolist) {          boolean flag = this.abhishekservice.createabhishek(abhishekdtolist);             return new responseentity<boolean>(flag, httpstatus.ok);          }  } 

i tried setup , worked me. since did not provide of code, best guess either component scan of controller spring security not happening or maybe browser caching , sending basic auth credentials without realizing it.


Comments