Spring Security httpBasic and HttpBasicConfigurer do not provide a way to customize BasicAuthenticationFilter behavior

With Spring Security 3 (and the XML files) seems like it was possible to customize the behavior on what happens when a basic authentication is successful or failed:

http://stackoverflow.com/questions/16734537/spring-security-3-http-basic-authentication-success-handler

With Spring Security 4, the pattern seems to have changed. To configure HTTP Basic Authentication for a web-service, WebSecurityConfigurerAdapter needs to be extended and overriding method configure(HttpSercurity http). For example, in this method we can enable HTTP Basic with code like:

        // Use Basic Authentication
        http.httpBasic();

        http.authorizeRequests()
                .antMatchers("/1/some_resource/**").hasAuthority("USER");

When I looked into what httpBasic does, I noticed that it uses HttpBasicConfigurer (final class) which has explicit instantiation of BasicAuthenticationFilter class:

BasicAuthenticationFilter basicAuthenticationFilter = new BasicAuthenticationFilter(authenticationManager, authenticationEntryPoint);

https://github.com/spring-projects/spring-security/blob/9654817fd85c5081c3874060ea30b9bec9a7934e/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java#L166

The onSuccessfulAuthentication and onUnsuccessfulAuthentication methods on BasicAuthenticationFilter do nothing: https://github.com/spring-projects/spring-security/blob/9654817fd85c5081c3874060ea30b9bec9a7934e/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java#L259-L265

If I want to provide a customer behavior (for example: do something after 5 failed attempts), there is no way for me to customize what the call to method HttpSecurity.httpBasic() does. I wasn't able to find a place where I might implement AuthenticationSuccessHandler or AuthenticationFailureHandler.

I would either have to switch to the the way of Spring Security 3 or make a copy (since it is a final class) of HttpBasicConfigurer which instantiates my own CustomBasicAuthenticationFilter class.

Is there a plan in the final version of Spring Security 4.0 to have some customization of HTTP Basic Authentication?

Comment From: rwinch

You can extend the BasicAuthenticationFilter and insert it as shown below:

http
    .addFilter(new CustomBasicAuthenticationFIlter())
    ...

If your Filter does not extend BasicAuthenticationFilter, you need to give Spring Security instructions where to place the Filter. You can do this using the following:

http
    .addFilterBefore(new CustomBasicAuthenticationFIlter(), BasicAuthenticationFilter.class)
    ...

Comment From: mmladenovski

@rwinch , thank you for the clarification.

Comment From: wick-z

You can extend the BasicAuthenticationFilter and insert it as shown below:

java http .addFilter(new CustomBasicAuthenticationFIlter()) ...

If your Filter does not extend BasicAuthenticationFilter, you need to give Spring Security instructions where to place the Filter. You can do this using the following:

java http .addFilterBefore(new CustomBasicAuthenticationFIlter(), BasicAuthenticationFilter.class) ... Hi, I wonder if there is one way to setup a defualt basic authorization. Just like this in Feign @Bean public BasicAuthRequestInterceptor basicAuthRequestInterceptor() { return new BasicAuthRequestInterceptor(clientId, clientSecret); }