Two Laptop Bag*
The moose likes Other Application Frameworks and the fly likes Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Frameworks » Other Application Frameworks
Bookmark ""Spring Security Application" Initiated by Apache" Watch ""Spring Security Application" Initiated by Apache" New topic
Author

"Spring Security Application" Initiated by Apache

Ergin Er
Ranch Hand

Joined: Sep 06, 2005
Posts: 60
We wanted to secure our application (<url>/tst) by using apache2 basic authentication. Implementation in apache2 was straight forward and worked. The problem is the application. Somehow if I would login to the website of the application, Spring Security is initiated, so that I get anothe login popup. It seems the basic authentication of apache is picked up by spring security. I would like to disable that, since <url>/tst/home.html is not supposed to be secured.

I've tried couple of options, but none seem to work. Maybe someone can help me out.

Here is the basic configuration of Spring security in my app:


I've tried the following options:
1: Configure Apache to use Digest login:


.digestpw contained the following user password:
tst:tst:ceaa2115e4ac62de0f46f118921cf018

If I try to go to the application, I get a login popup for PrivateOnly as I'm supposed to. But if I insert username and password, I get the same login popup, untill after 3 time, I get this error:
Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.


2: Configure Spring Security - BeasicProcessingFilter
I've added basicProcessingFilter:



This didn't work.

3: Configure Spring Security - Security Filter

I've placed security filter:



This didn't work.

All in all, I think I'm very close to solution, but I'm missing something. Can anyone help me out with this?
Ergin Er
Ranch Hand

Joined: Sep 06, 2005
Posts: 60
I managed to make option 1 work for me.
It appeared I was using wrong realm in AuthName definition.

I is still remarkable that the application behaves strange when Apaches basic authentication is used.
Bartlomiej Knabel
Greenhorn

Joined: Aug 15, 2008
Posts: 5
I have simmilar situation, bu I'm using "AuthType Basic".
What did You do to solve problem?

In my case "spring security application" appears and I can't log into my test environment..


SCJP6, SCWCD
Eddie Lo
Greenhorn

Joined: Nov 13, 2009
Posts: 2
I have the same problem. If still need keep using AuthType Basic, are there any way to disable it in Spring Security configuration?
Any help is appreciated!

Eddie
Bartlomiej Knabel
Greenhorn

Joined: Aug 15, 2008
Posts: 5
Hi,

I have an solution:
1) set auto-config="false"
2) don't add "<http-basic />" to Your configuration

Here You have some small piece of SS docummentation

2.2.2.1. What does auto-config Include?

The auto-config attribute, as we have used it above, is just a shorthand syntax for:

<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login />
<anonymous />
<http-basic />
<logout />
<remember-me />
</http>


Hope it helps You too


Eddie Lo
Greenhorn

Joined: Nov 13, 2009
Posts: 2


You saved my day!
Thank you very much!



Eddie
 
 
subject: "Spring Security Application" Initiated by Apache
 
Similar Threads
Acegi Configuration
No AuthenticationEntryPoint could be established
spring security form based login using database not responding
Spring security multiple login pages
force https in spring security 3