I've been struggling for a few days now. I'm kind of new in Spring Boot, and like the idea of not using XML configuration.
I created a RESTfull application (with JSON). I'm following this tutorial to configure authentication properly.
I think I managed to reproduce almost all of its configurations using Java configuration, except for one thing - AuthenticationEntryPoint
The tutorial uses a property in http
tag like this and defines a formLogin in the following way:
<http entry-point-ref="restAuthenticationEntryPoint">
<intercept-url pattern="/api/admin/**" access="ROLE_ADMIN"/>
<form-login
authentication-success-handler-ref="mySuccessHandler"
authentication-failure-handler-ref="myFailureHandler"
/>
<logout />
</http>
The AuthenticationEntryPoint explanation in the Spring Security manual says:
AuthenticationEntryPoint can be set using the entry-point-ref attribute on the < http > element.
Doesn't mention anything about how to do it using Java Configuration.
So how can I "register" my own restAuthenticationEntryPoint
without XML in order to prevent the redirection to a login form when using formLogin?
Below I will mention what I have tried.
Thank you all.
In my attempts, found you can define it using basicAuth like this:
@Configuration
@Order(1)
public static class RestWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
if (restAuthenticationEntryPoint == null) {
restAuthenticationEntryPoint = new RestAuthenticationEntryPoint();
}
http
.authorizeRequests()
.antMatchers("/**").hasAnyRole(Sec.ADMIN,Sec.SUPER_USER)
...
.and()
.httpBasic()
.authenticationEntryPoint(restAuthenticationEntryPoint)
But I'm using a form login like this (without the httpBasic part):
.and()
.formLogin()
.successHandler(mySavedRequestAwareAuthenticationSuccessHandler)
.failureHandler(simpleUrlAuthenticationFailureHandler)
The problem is it redirects to a login form when it doesn't receive credentials. Since this is a REST service it shouldn't.
The documentation for FormLoginConfigurer
(the class .formLogin()
uses) says:
Shared Objects Created
The following shared objects are populated
AuthenticationEntryPoint
But couldn't find a way to override it.
Any ideas?
P.S.
Don't think it would be a good idea to override the login form to a custom one that only returns the error.
See Question&Answers more detail:
os