I have some url secured with spring (configured through xml). It works. However when I try to hit that endpoint with an ajax request I get a 302 (found) response. This redirects my ajax call to the login page (so I GET the html). However I'd like to get a 401 (unauthorized) response with the url of the login page available to the client application, so I can redirect the user there with javascript. This question seems to be the closest to what I want, but there's no example and it suggests changing the controller again. Is there no configuration in spring-security that will give me a 401 and a url (or some other sensible error message and the url of the login page)?

I have some url secured with spring (configured through xml). It works. However when I try to hit that endpoint with an ajax request I get a 302 (found) response. This redirects my ajax call to the login page (so I GET the html). However I'd like to get a 401 (unauthorized) response with the url of the login page available to the client application, so I can redirect the user there with javascript. This question seems to be the closest to what I want, but there's no example and it suggests changing the controller again. Is there no configuration in spring-security that will give me a 401 and a url (or some other sensible error message and the url of the login page)?

• javascript
• ajax
• spring-security

Share Improve this question Follow edited May 23, 2017 at 11:58 CommunityBot 111 silver badge asked Nov 17, 2011 at 17:05 JoshJosh 80144 gold badges1111 silver badges1616 bronze badges 1

• Do you want all URLs in your application to return 401 if you're not logged in, or do you want only some URLs (the AJAX ones only) to return 401? – gutch Commented Dec 8, 2011 at 6:25

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 16

You can extend LoginUrlAuthenticationEntryPoint. Here is my one:

package hu.progos.springutils;
// imports omitted
public class AjaxAwareLoginUrlAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {
    public void mence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException) throws IOException, ServletException {
        if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) {
            response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
        } else {
            super.mence(request, response, authException);
        }
    }
}

Then configure spring to use your implementation:

<beans:bean id="authEntryPoint" class="hu.progos.springutils.AjaxAwareLoginUrlAuthenticationEntryPoint" scope="singleton>
    <beans:property name="loginFormUrl" value="/login.html" />
</beans:bean>

<http entry-point-ref="authEntryPoint">
  <!-- your settings here -->
</http>

There are a million ways to do this of course. But the short solution to your problem is this configuration snippet:

<bean id="customAuthEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
   <property name="loginFormUrl" value="/your-custom-login" />
</bean>

I also take a step further and turn off the security auto-config so I can map the above entry point like so:

 <security:http auto-config="false" entry-point-ref="customAuthEntryPoint">
   ...
   ...
 </security:http>

I also override a bunch of spring security classes to get the security model to do exactly what I want. It's a slippery slope, but it's nice having the control once it works the way you want it to.