Spring security 3 http-basic authentication-success-handler

You cannot set an authentication success handler for BASIC authentication. You can, however, extend BasicAuthenticationFilter and override onSuccessfulAuthentication method:

@Component("customBasicAuthFilter")
public class CustomBasicAuthFilter extends BasicAuthenticationFilter {

    @Autowired
    public CustomBasicAuthFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager);
    }

    protected void onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authResult) {
        // Do what you want here
    }
}

Inject it in your security configuration with something like:

<http entry-point-ref="basicEntryPoint">
  <custom-filter ref="customBasicAuthFilter" position="BASIC_AUTH_FILTER"/>
</http>
<authentication-manager alias="authenticationManager">
  ...
</authentication-manager>

Update: Or with Java config instead of XML:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
      .addFilterAt(customBasicAuthFilter, BasicAuthenticationFilter.class)
      .exceptionHandling().authenticationEntryPoint(basicEntryPoint);
}

As a workaround you can use http-basic in conjuction with form-login:

<http auto-config="true">
    ...
    <http-basic  />
    <form-login authentication-success-handler-ref="authenticationSuccessHandler" ... />
    ...
</http>

BasicAuthenticationFilter will work.

EDIT. If you want set up your overriden version of BasicAuthenticationFilter I think you need to:

  1. Add it to filter chain at BASIC_AUTH_FILTER position as explained here
  2. Set up corresponding BasicAuthenticationEntryPoint entry point via entry-point-ref attribute of http tag.

Instead of using an AuthenticationSuccessHandler you can rely on Spring Security's event mechanism and listen to AuthenticationSuccessEvent by using the ApplicationListener interface:

@Component
public class AuthenticationEventListener implements
    ApplicationListener<AuthenticationSuccessEvent>
{

    @Override
    public void onApplicationEvent (AuthenticationSuccessEvent event) {
       // do what you want here
       // example: persist event to the database
    }
}

See also this answer here: https://stackoverflow.com/a/11384001/474034

Tags:

Spring Security

Basic Authentication

Recent Posts