Issue
I am using the HTTPBasic authentication scheme in my spring security, and I would like to log all failed and successful login attempts. It seems like the general way to do so is to call a method upon login failure, kind of like this...
.and().formLogin().failureHandler(//method to call upon failure);
However, this requires the form login, and I am using HTTPBasic. How would we set this up so that it would have a failurehandler on an HTTPBasic authentication scheme?
Solution
SecurityConfiguration.java
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import com.service.UserService;
@SuppressWarnings("deprecation")
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService;
@Bean
public BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider auth = new DaoAuthenticationProvider();
auth.setUserDetailsService(userService);
auth.setPasswordEncoder(passwordEncoder());
return auth;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/welcome").permitAll().antMatchers("/secured")
.authenticated().and().formLogin()
.failureHandler(new SimpleUrlAuthenticationFailureHandler()).permitAll().and().httpBasic();
}
}
LoginFailureHandler.java
package com.config;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.stereotype.Component;
@Component
public class LoginFailureHandler extends SimpleUrlAuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
String email = request.getParameter("email");
String redirectURL = "/login?error&email=" + email;
// if (exception.getMessage().contains("OTP")) {
// redirectURL = "/login?otp=true&email=" + email;
// } else {
// Customer customer = customerService.getCustomerByEmail(email);
// if (customer.isOTPRequired()) {
// redirectURL = "/login?otp=true&email=" + email;
// }
// }
super.setDefaultFailureUrl(redirectURL);
super.onAuthenticationFailure(request, response, exception);
}
}
Answered By - Aman
Answer Checked By - Senaida (JavaFixing Volunteer)