我正在尝试使用Jersey,Spring和Spring安全性(3.2.5)实现Rest Web服务。
我希望服务器要求对其余Web服务的请求使用基本的auth标头。如果身份验证成功,则jersey应处理该请求。如果失败,我想返回状态为403的空响应。
目前我的配置如下:
<bean id="myAuthenticationEntryPoint"
class="de.tuberlin.snet.baroudeur.Authentication.EntryPoint" />
<!-- HTTP basic authentication in Spring Security -->
<security:http create-session="stateless" auto-config="false"
disable-url-rewriting="true" entry-point-ref="myAuthenticationEntryPoint">
<security:intercept-url pattern="**" access="ROLE_USER" />
<security:http-basic />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="username" password="password"
authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
和我的EntryPoint:
public class EntryPoint extends BasicAuthenticationEntryPoint {
public void commence(ServletRequest request, ServletResponse response,
AuthenticationException authException) throws IOException,
ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
}
}
我尝试了很多东西,比如自定义AuthenticationFailureHandler,或自定义EntryPoint,但到目前为止还没有任何工作。
由于
编辑:
我当前的解决方案仅返回基本tomcat模板的401响应,浏览器会询问用户凭据。
使用调试模式时,似乎从不调用自定义入口点的begin()方法,为什么会这样?