2014-02-13 22:25 GMT+01:00 Sergey Beryozkin <[email protected]>: > Hi > > On 13/02/14 17:25, Jose María Zaragoza wrote: >> >> Hello: >> >> I'm using Apache CXF 2.7.8 + Spring Security 3.1.1 >> >> I want to securize an endpoint ( JAX-RS service) with Basic Auth, and >> I'm following this example: >> >> >> http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security/ >> >> So, I configure the Spring Security filter in web.xml >> And all works fine >> >> But I'm interested in capturing all errors in authentication phase, so >> to format the response, but this isn't work. >> The ExceptionMapper object is never invoked ( I tried several type of >> exceptions ExceptionMapper<T>, included >> ExceptionMapper<BadCredentialsException>) >> >> Looking at logs, CXF code is never called ( DEBUG mode). For example: >> >> >> 18:07:23.828 [http-8080-3] DEBUG [BasicAuthenticationFilter] >> [doFilter] - Basic Authentication Authorization header found for user >> 'xxxxxx' >> 18:07:23.828 [http-8080-3] DEBUG [ProviderManager] [authenticate] - >> Authentication attempt using >> org.springframework.security.authentication.dao.DaoAuthenticationProvider >> 18:07:23.828 [http-8080-3] DEBUG [DaoAuthenticationProvider] >> [authenticate] - User 'xxxxxx' not found >> 18:07:23.828 [http-8080-3] DEBUG [BasicAuthenticationFilter] >> [doFilter] - Authentication request for failed: >> org.springframework.security.authentication.BadCredentialsException: >> Bad credentials >> 18:07:23.828 [http-8080-3] DEBUG >> [HttpSessionSecurityContextRepository] [saveContext] - SecurityContext >> is empty or contents are anonymous - context will not be stored in >> HttpSession. >> 18:07:23.828 [http-8080-3] DEBUG [SecurityContextPersistenceFilter] >> [doFilter] - SecurityContextHolder now cleared, as request processing >> completed >> >> That's all >> >> Looks like request is not seen for CXF code >> What is wrong ? >> > I wonder, is it thrown from the filter, before CXF is even invoked ? If so > then you;d likely need to get a custom filter sitting in front of Spring > Security catching the exceptions... > > Cheers, Sergey > >> Thanks and regards >>
Thanks Sergey, You are right Finally I had to use a Spring solution for solving this I followed this link http://stackoverflow.com/questions/19596872/how-to-handle-different-authentication-exceptions-in-spring-security-3-1 Basically it's to define an entry-point for http/htt-basic namespace <http entry-point-ref="authenticationFailedEntryPoint"> <intercept-url pattern="/**" access="ROLE_XXXX" /> <http-basic entry-point-ref="authenticationFailedEntryPoint"/> </http> and and entrypoint class, like public class AuthenticationFailedEntryPoint implements AuthenticationEntryPoint { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { response.setStatus(Status.UNAUTHORIZED.getStatusCode()); PrintWriter out = response.getWriter(); out.write(""); out.flush(); } }
