SEC-2803: Add HttpStatusEntryPoint

[spring-projects-issues]

Dave Syer (Migrated from SEC-2803) said:

There doesn't appear to be an entry point that sends a 401 with an arbitrary WWW-Authenticate header. BasicAuthenticationEntryPoint is nearly good enough, but it always sends "Basic ..." and that might not be what we are asking for. Example: a JavaScript client wants to detect the 401 without popping up a Basic auth dialog (which the browser will do automatically).

[spring-projects-issues]

Dave Syer said:

Actually the custom "X-Requested-With" is a conventional header sent by browser clients, and it used to be the default in Angular but they took it out in 1.3.0. Spring Security responds to it by not sending a "WWW-Authenticate" header in a 401 response anyway, and thus the browser will not pop up an authentication dialog (which is desirable in our app since we want to control the authentication). So you can get close to the desired behaviour using Spring Security 3.2 as long as the client sends the right header.

Here's a pull request anyway: #177

[spring-projects-issues]

Rob Winch said:

NOTE: The following is from the github PR:

I wonder if it makes more sense to put this in another AuthenticationEntryPoint all together. The reason is that BasicAuthenticationEntryPoint seems to imply that it is performing basic authentication. As soon as the challenge is removed, this is no longer the case.

What are your thoughts on creating an HttpStatusAuthenticationEntryPoint that allows setting the HttpStatus and (optionally) any headers the client wishes to send? I'm guessing in most cases a client doesn't even need the headers, so perhaps we should leave that out for now.

I'm ok with it either way. Thanks.