angularjs - Can't set Authentication Header with Angular and Spring Security -


i'm having trouble getting angular, cors, springsecurity , basic authentication play nicely. have following angular ajax call i'm trying set header include basic authorization header in request.

var headerobj = {headers: {'authorization': 'basic am9lonnly3jlda=='}}; return $http.get('http://localhost:8080/mysite/login', headerobj).then(function (response) {     return response.data; }); 

i running angular app on localhost:8888 , backend server on localhost:8080. had add cors filter server side spring mvc. created filter , added web.xml.

web.xml

<filter>     <filter-name>corsfilter</filter-name>     <filter-class>com.abcinsights.controller.simplecorsfilter</filter-class> </filter> <filter-mapping>     <filter-name>corsfilter</filter-name>     <url-pattern>/*</url-pattern> </filter-mapping> 

corsfilter

public class simplecorsfilter extends onceperrequestfilter {  @override public void dofilterinternal(httpservletrequest req, httpservletresponse res, filterchain chain) throws ioexception, servletexception {     enumeration<string> headernames = req.getheadernames();     while(headernames.hasmoreelements()){         string headername = headernames.nextelement();         system.out.println("headername " + headername);         system.out.println("headerval " + req.getheader(headername));     }                    httpservletresponse response = (httpservletresponse) res;     response.setheader("access-control-allow-origin", "*");      response.setheader("access-control-allow-methods", "post, get, options, delete");     response.setheader("access-control-max-age", "3600");     response.setheader("access-control-allow-headers", "origin, x-requested-with, content-range, content-disposition, content-type, authorization");     chain.dofilter(req, res); }    } 

this works fine , when @ header names/values see authorization header basic value , hard coded base64 string.

so tried add springsecurity use authorization header basic authentication. here's web.xml , spring security config spring security added in.

updated web.xml

<listener>     <listener-class>org.springframework.web.context.contextloaderlistener</listener-class> </listener>  <context-param>     <param-name>contextconfiglocation</param-name>     <param-value>/web-inf/config/security-config.xml</param-value> </context-param>  <filter>   <filter-name>springsecurityfilterchain</filter-name>   <filter-class>org.springframework.web.filter.delegatingfilterproxy</filter-class> </filter>  <filter-mapping>   <filter-name>springsecurityfilterchain</filter-name>   <url-pattern>/*</url-pattern> </filter-mapping> 

security-config.xml

<http auto-config="true" use-expressions="false">     <intercept-url pattern="/**" access="role_user" />     <http-basic/>     <custom-filter ref="corshandler" before="security_context_filter"/> </http>  <beans:bean id="corshandler" class="com.abcinsights.controller.simplecorsfilter"/>  <authentication-manager>     <authentication-provider>         <jdbc-user-service data-source-ref="datasource"/>     </authentication-provider> </authentication-manager> 

as can see, had add cors filter front of spring security filter chain (i removed web.xml). seems working in sense cors filter still gets called when make request. request coming ajax call no longer has authorization header added in. when remove springsecurity filter chain , put cors filter web.xml authorization header comes back. i'm @ loss wondering if has preflight communication working 1 way when cors filter stand alone in web.xml , way when in spring security filter chain? appreciated.

thanks

the problem angular sending http options request without http authorization header. spring security processing request , sending 401 unauthorized response. angular app getting 401 response spring on options request rather 200 response telling angular go ahead , send post request did have authorization header in it. fix to

a) put corsfilter , springsecurity filter in web.xml (rather having cors filter called within spring). not 100% sure made difference that's final web.xml looked like.

b) added code below link cors filter doesn't delegate springsecurity options request types.

this post got me sorted out: standalone spring oauth2 jwt authorization server + cors

here's code:

web.xml

<display-name>abc insights</display-name> <servlet>     <servlet-name>abcinsightsservlet</servlet-name>     <servlet-class>org.springframework.web.servlet.dispatcherservlet</servlet-class>     <init-param>         <param-name>contextconfiglocation</param-name>         <param-value>/web-inf/config/servlet-config.xml</param-value>     </init-param>  </servlet> <servlet-mapping>     <servlet-name>abcinsightsservlet</servlet-name>     <url-pattern>/</url-pattern> </servlet-mapping>  <!--  stand alone cross origin resource sharing authorization configuration --> <filter>     <filter-name>corsfilter</filter-name>     <filter-class>com.abcinsights.controller.simplecorsfilter</filter-class> </filter> <filter-mapping>     <filter-name>corsfilter</filter-name>     <url-pattern>/*</url-pattern> </filter-mapping>        <!--  spring security configuration --> <listener>     <listener-class>org.springframework.web.context.contextloaderlistener</listener-class> </listener> <context-param>     <param-name>contextconfiglocation</param-name>     <param-value>/web-inf/config/security-config.xml</param-value> </context-param>     <filter>     <filter-name>springsecurityfilterchain</filter-name>     <filter-class>org.springframework.web.filter.delegatingfilterproxy</filter-class> </filter> <filter-mapping>     <filter-name>springsecurityfilterchain</filter-name>     <url-pattern>/*</url-pattern> </filter-mapping> 

here cors filter:

public class simplecorsfilter extends genericfilterbean {     @override     public void dofilter(servletrequest req, servletresponse res, filterchain chain) throws ioexception, servletexception {         httpservletrequest request = (httpservletrequest) req;         httpservletresponse response = (httpservletresponse) res;                response.setheader("access-control-allow-origin", "*");          response.setheader("access-control-allow-methods", "post, get, options, delete");         response.setheader("access-control-max-age", "3600");         response.setheader("access-control-allow-headers", "origin, x-requested-with, content-range, content-disposition, content-type, authorization, x-csrf-token");            if ("options".equalsignorecase(request.getmethod())) {             response.setstatus(httpservletresponse.sc_ok);         } else {             chain.dofilter(req, res);         }                } } 

here angular code:

var login = function (credentials) {     console.log("credentials.email: " + credentials.email);     console.log("credentials.password: " + credentials.password);      var base64credentials = base64.encode(credentials.email + ':' + credentials.password);      var req = {         method: 'get',         url: 'http://localhost:8080/abcinsights/loginpage',         headers: {             'authorization': 'basic ' + base64credentials         }     }      return $http(req).then(function (response) {         return response.data;     });         }; 

hope helps.


Comments

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

jdbc - Not able to establish database connection in eclipse -

firemonkey - How do I make a beep sound in Android using Delphi and the API? -