Class Http401UnauthorizedEntryPoint
java.lang.Object
org.pentaho.platform.web.http.security.Http401UnauthorizedEntryPoint
- All Implemented Interfaces:
org.springframework.security.web.AuthenticationEntryPoint
public class Http401UnauthorizedEntryPoint
extends Object
implements org.springframework.security.web.AuthenticationEntryPoint
An entry point that always returns an HTTP 401 Unauthorized status code.
This entry point differs from PentahoBasicAuthenticationEntryPoint, which also returns a 401 status code, by
not sending a `WWW-Authenticate` header. This non-standard (albeit de facto) behavior is used to prevent some web
browsers (e.g. Chrome) from prompting the user for credentials, even if the request is made by a script in a web
browser. This way it is possible to mitigate the risks of using Basic Authentication in a web browser context, which
can cause credentials leakage during a client session that crosses server sessions.
Basic Authentication handling is reserved for non-browser clients, such as tools or scripts, which can explicitly control the lifetime of the credentials stored on the client side.
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidcommence(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException arg2) Always returns a 401 error code to the client.
-
Constructor Details
-
Http401UnauthorizedEntryPoint
public Http401UnauthorizedEntryPoint()
-
-
Method Details
-
commence
public void commence(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException arg2) throws IOException Always returns a 401 error code to the client.- Specified by:
commencein interfaceorg.springframework.security.web.AuthenticationEntryPoint- Throws:
IOException
-