• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

"Spring Security Application" Initiated by Apache

 
Ergin Er
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We wanted to secure our application (<url>/tst) by using apache2 basic authentication. Implementation in apache2 was straight forward and worked. The problem is the application. Somehow if I would login to the website of the application, Spring Security is initiated, so that I get anothe login popup. It seems the basic authentication of apache is picked up by spring security. I would like to disable that, since <url>/tst/home.html is not supposed to be secured.

I've tried couple of options, but none seem to work. Maybe someone can help me out.

Here is the basic configuration of Spring security in my app:


I've tried the following options:
1: Configure Apache to use Digest login:


.digestpw contained the following user password:
tst:tst:ceaa2115e4ac62de0f46f118921cf018

If I try to go to the application, I get a login popup for PrivateOnly as I'm supposed to. But if I insert username and password, I get the same login popup, untill after 3 time, I get this error:
Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.


2: Configure Spring Security - BeasicProcessingFilter
I've added basicProcessingFilter:



This didn't work.

3: Configure Spring Security - Security Filter

I've placed security filter:



This didn't work.

All in all, I think I'm very close to solution, but I'm missing something. Can anyone help me out with this?
 
Ergin Er
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I managed to make option 1 work for me.
It appeared I was using wrong realm in AuthName definition.

I is still remarkable that the application behaves strange when Apaches basic authentication is used.
 
Bartlomiej Knabel
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have simmilar situation, bu I'm using "AuthType Basic".
What did You do to solve problem?

In my case "spring security application" appears and I can't log into my test environment..
 
Eddie Lo
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have the same problem. If still need keep using AuthType Basic, are there any way to disable it in Spring Security configuration?
Any help is appreciated!

Eddie
 
Bartlomiej Knabel
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have an solution:
1) set auto-config="false"
2) don't add "<http-basic />" to Your configuration

Here You have some small piece of SS docummentation

2.2.2.1. What does auto-config Include?

The auto-config attribute, as we have used it above, is just a shorthand syntax for:

<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login />
<anonymous />
<http-basic />
<logout />
<remember-me />
</http>


Hope it helps You too


 
Eddie Lo
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


You saved my day!
Thank you very much!



Eddie
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic