I’m in the process of implementing a REST service with Spring MVC and Spring Security (both 3.0.5). I’m using the security namespace not defining the Spring beans by hand.
I’m having some difficulties with the login process. What I’m trying to achive is this:
a POST to a /login URL would begin the authentication process.
There should be no actual form, so I’m not using the form-login… element. Without this element, the UsernamePasswordAuthenticationFilter isn’t present on the security chain, so I thought I’d add it via a custom-filter… element and go on from there.
That’s the gist of it, not for the questions:
- is this a good way to implement authentication?
- how exactly should I add this filter and on what position in the filter chain?
- is it enough to add this filter or do I need something else as well?
Any feedback is appreciated.
Thanks.
In general, if you want to customize your authentication, you should use the bean configuration. I found the namespace based configuration suitable only for demo-apps. Here are my answers to your questions:
1) As I said above, you should use beans. Check this article for more information:
http://blog.springsource.com/2010/03/06/behind-the-spring-security-namespace/
But what you are going after will also work, with the requirements you have mentioned so far.
2) It should be added like this:
<http><custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"/>
3) Note that this filter would also perform default redirection to the original request. So if you do not need any redirection and just simple HTTP 200 should be returned back to client, you should implement your own AuthenticationProcessingFilter.
I hope it helps.