How to make a request from an android app that can enter a Spring Security secured webservice method?

Question

I have a Spring Security (form based authentication) web app running CXF JAX-RS webservices and I am trying to connect to this webservice from an Android app that can be authenticated on a per user basis. Currently, when I add an @Secured annotation to my webservice method all requests to this method are denied. I have tried to pass in credentials of a valid user/password (that currently exists in the Spring Security based web app and can log in to the web app successfully) from the android call but the request still fails to enter this method when the @Secured annotation is present. The SecurityContext parameter returns null when calling getUserPrincipal().

How can I make a request from an android app that can enter a Spring Security secured webservice method?

Here is the code I am working with at the moment:

Android call:

httpclient.getCredentialsProvider().setCredentials(
          //new AuthScope("192.168.1.101", 80), 
          new AuthScope(null, -1),
         new UsernamePasswordCredentials("joeuser", "mypassword"));

  String userAgent = "Android/" + getVersion();      


  HttpGet httpget = new HttpGet(MY_URI);
  httpget.setHeader("User-Agent", userAgent);
  httpget.setHeader("Content-Type", "application/xml");

  HttpResponse response;

  try {
      response = httpclient.execute(httpget);
      HttpEntity entity = response.getEntity();

      ... parse xml

Webservice Method:

@GET
@Path("/payload")
@Produces("application/XML")
@Secured({"ROLE_USER","ROLE_ADMIN","ROLE_GUEST"})
public Response makePayload(@Context Request request, @Context SecurityContext securityContext){

         Payload payload = new Payload();
         payload.setUsersOnline(new Long(200));

            if (payload == null) {
                return Response.noContent().build();
            }
            else{
                 return Response.ok().entity(payload).build();
            }

 }

Answer 1

you resolve this? because I'm having the same problem... and I don't know how to solve it...

Answer 2

I did resolve this issue. In my case, the problem was that I had mistakenly added security annotations on methods that were already being tracked in Spring Security from a configuration in an intercept-url pattern in a Spring Security xml file.

After all was said and done it is very simple and works great. The only trick to it is that your Android client must create a static DefaultHttpClient, call the login servlet of your website with that client, and then make all subsequent calls using the same httpClient instance. Your android requests can then enter secured methods, maintain a session and be treated as any normal user.

The following code from my original question is superfulous and I do not use it at all: httpclient.getCredentialsProvider().setCredentials( ... As eluded to, I also am not using the security annotations as I have my urls secured in an xml file.

Answer 3

If you have some time, can you please help me with this?, cause I couldnt make it work... My mail is: diealive [at] gmail [dot] com