Home/ Questions/Q 8847723
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T12:15:29+00:00

I’m working on adding basic authentication to my RESTful web service (implemented using Spring

  • 0

I’m working on adding basic authentication to my RESTful web service (implemented using Spring MVC) with Spring Security having never really used it before. Right now I’m simply using an in-memory UserService with the intention of adding a repository-based one later.

<security:http>
    <security:http-basic />
    <security:intercept-url pattern="/**" access="ROLE_ADMIN" />
</security:http>

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="admin" password="admin"
                authorities="ROLE_USER, ROLE_ADMIN" />
            <security:user name="guest" password="guest"
                authorities="ROLE_GUEST" />
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

This works fine, i.e. sending the following request grants me access to the desired resource (where the encoded string is admin:admin):

GET /user/v1/Tyler HTTP/1.1
Authorization: Basic YWRtaW46YWRtaW4=

And sending the following request gives me an Error 403 (where the encoded string is guest:guest):

GET /user/v1/Tyler HTTP/1.1
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=

However, sending a request where the provided username is not contained in the UserService does not result in an Error 403 as I expected (or at least desired) but instead continues prompting for a username and password. E.g. (where the encoded string is user:user):

GET /user/v1/Tyler HTTP/1.1
Authorization: Basic dXNlcjp1c2Vy

Is there additional configuration required to respond with an Error 403 when unrecognized user credentials are provided? How can I go about doing that?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Firstly,

    403 Forbidden should be used when user is already authenticated but is not authorized to perform particular action. In your example guest is successfully authenticated but is not granted permission to see page because he is just a guest.

    You should use 401 Unauthorized to indicate that your user was not authenticated successfully.

    More on HTTP errors codes: http://en.wikipedia.org/wiki/HTTP_401#4xx_Client_Error

    Secondly,

    you can specify your custom behavior by extending BasicAuthenticationFilter.
    There is protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse AuthenticationException failed) method that you can override and do whatever is adequate. In default implementation that method is empty.

    Spring Security docs on injecting custom filter: CLICK

    Edit:

    What Spring Security does each time your authentication input is invalid:

    public class BasicAuthenticationEntryPoint implements AuthenticationEntryPoint {
...
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
        throws IOException, ServletException {

response.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());

    So, the default behavior is correct. User is sent 401 and is asked to provide valid login/credentials.

    Before overriding, try to understand the default behavior. Source code: CLICK

    • 0