Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2803: Add HttpStatusEntryPoint #2940

Closed
spring-projects-issues opened this issue Jan 4, 2015 · 2 comments
Closed

SEC-2803: Add HttpStatusEntryPoint #2940

spring-projects-issues opened this issue Jan 4, 2015 · 2 comments
Assignees
Labels
type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Milestone

Comments

@spring-projects-issues
Copy link

Dave Syer (Migrated from SEC-2803) said:

There doesn't appear to be an entry point that sends a 401 with an arbitrary WWW-Authenticate header. BasicAuthenticationEntryPoint is nearly good enough, but it always sends "Basic ..." and that might not be what we are asking for. Example: a JavaScript client wants to detect the 401 without popping up a Basic auth dialog (which the browser will do automatically).

@spring-projects-issues
Copy link
Author

Dave Syer said:

Actually the custom "X-Requested-With" is a conventional header sent by browser clients, and it used to be the default in Angular but they took it out in 1.3.0. Spring Security responds to it by not sending a "WWW-Authenticate" header in a 401 response anyway, and thus the browser will not pop up an authentication dialog (which is desirable in our app since we want to control the authentication). So you can get close to the desired behaviour using Spring Security 3.2 as long as the client sends the right header.

Here's a pull request anyway: #177

@spring-projects-issues
Copy link
Author

Rob Winch said:

NOTE: The following is from the github PR:

I wonder if it makes more sense to put this in another AuthenticationEntryPoint all together. The reason is that BasicAuthenticationEntryPoint seems to imply that it is performing basic authentication. As soon as the challenge is removed, this is no longer the case.

What are your thoughts on creating an HttpStatusAuthenticationEntryPoint that allows setting the HttpStatus and (optionally) any headers the client wishes to send? I'm guessing in most cases a client doesn't even need the headers, so perhaps we should leave that out for now.

I'm ok with it either way. Thanks.

@spring-projects-issues spring-projects-issues added Closed type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@spring-projects-issues spring-projects-issues added this to the 4.0.0 milestone Feb 5, 2016
@rwinch rwinch added the type: enhancement A general enhancement label May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Projects
None yet
Development

No branches or pull requests

2 participants