Thursday 1 July 2010

Using both Http-basic and session based form-login authorisation in Spring Security with wget (--auth-no-challenge)

We recently changed our Spring Security configuration from http-basic to form-login, well actually we used
<http 
auto-config="true" >
which is shorthand for
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login />
<anonymous />
<http-basic />
<logout />
<remember-me />
</http>

The above, and the rest of the documentation suggests that both http-basic and form-login should work simultaneously. However my wget script broke on the change over. The wget command was
wget  --user=foo@example.org --password=bar --post-data="" \
-d http://localhost/protectedUrl 

This got redirected to the forms login page, as though the authorisation header was being ignored. However alimanfoo was able to use authenticated requests from java to access the protected urls.

Further research revealed that wget only issues authorisation headers in response to a challenge, unless the --auth-no-challenge qualifier is added.
wget  --user=foo@example.org --password=bar --post-data="" \
--auth-no-challenge -d http://localhost/protectedUrl 
You might have thought that supplying username and password meant that you wanted to set them, and this was the behaviour of wget 1.10.2 and prior but no longer.

In fluent manpage we get:
Use of this option is not recommended, and is intended only to
support some few obscure servers, which never send HTTP
authentication challenges, but accept unsolicited auth info, say,
in addition to form-based authentication.

So I am off to explain the use-case to the maintainer list.