I enabled Spring Security for my REST application but not getting authorized when using curl.
Security.xml
<sec:http use-expressions="true" entry-point-ref="restAuthenticationEntryPoint">
<sec:intercept-url pattern="/rest/**" access="hasRole('ROLE_USER')" />
<sec:form-login authentication-success-handler-ref="mySuccessHandler" />
<sec:logout />
</sec:http>
<beans:bean id="mySuccessHandler" class="net.himalay.security.MySavedRequestAwareAuthenticationSuccessHandler" />
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider>
<sec:user-service>
<sec:user name="temporary" password="temporary" authorities="ROLE_ADMIN" />
<sec:user name="user" password="userPass" authorities="ROLE_USER" />
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>
CustomEntryPoint
@Component
public final class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
private static final Logger LOG = LoggerFactory.getLogger(RestAuthenticationEntryPoint.class);
@Override
public void commence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException) throws IOException {
LOG.info("---------RestAuthenticationEntryPoint----------");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
}
}
Controller
@Controller
@RequestMapping("rest")
public class MultitenantController {
@Autowired
private MultitenantService service;
@RequestMapping(value = "/user/{id}", method = RequestMethod.GET)
@ResponseBody
public User getUserInfo(@PathVariable Long id) {
return service.getUser(id);
}
@RequestMapping(value = "/user", method = RequestMethod.GET)
@ResponseBody
public List<User> getCustomers() {
return service.getUsers();
}
@RequestMapping(value = "/user/{id}/todo", method = RequestMethod.GET)
@ResponseBody
public List<TodoItem> getTransactions(@PathVariable Long id) {
HttpHeaders headers = addAccessControllAllowOrigin();
return getUserInfo(id).getTodoItems();
}
}
$curl -i -X -u user:userPass http://localhost:8080/mt-rest/rest/user/1/todo
curl: (6) Could not resolve host: user
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=ADA11C09484E658C38D8385CABA0CFAE; Path=/mt-rest/; HttpOnly
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 975
Date: Fri, 31 Jan 2014 17:14:45 GMT
After taking out security pattern from security.xml, it works fine. What exactly am I missing here?
You have only defined a form-login module. I believe that you also need to specify http-basic. For example: