0
# HTTP Invoker Authentication
1

2
BASIC authentication support for Spring's HTTP invoker remoting. Automatically extracts credentials from SecurityContextHolder and adds them as HTTP BASIC authentication headers to remote method calls.
3

4
**Deprecation Notice**: HTTP invoker authentication APIs are deprecated as of Spring Security 5.6.0 with no replacement.
5

6
## Capabilities
7

8
### Authentication HTTP Invoker Request Executor
9

10
Extends Spring's SimpleHttpInvokerRequestExecutor to add BASIC authentication support using credentials from the current SecurityContext.
11

12
```java { .api }
13
public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor {
14
    /**
15
     * Called every time a HTTP invocation is made.
16
     * Sets up the connection and adds an Authorization HTTP header for BASIC authentication.
17
     * Uses SecurityContextHolder to obtain the relevant principal and credentials.
18
     * @param con the HTTP connection to prepare
19
     * @param contentLength the length of the content to send
20
     * @throws IOException if thrown by HttpURLConnection methods
21
     */
22
    protected void prepareConnection(HttpURLConnection con, int contentLength) throws IOException;
23

24
    /**
25
     * Extension point for subclasses to perform additional configuration.
26
     * Called after authentication headers are set.
27
     * @param con the HTTP connection to prepare
28
     * @param contentLength the length of the content to send
29
     * @throws IOException if thrown by HttpURLConnection methods
30
     */
31
    protected void doPrepareConnection(HttpURLConnection con, int contentLength) throws IOException;
32
}
33
```
34

35
## Usage Examples
36

37
### Basic HTTP Invoker Configuration
38

39
```java
40
import org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean;
41
import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
42
import org.springframework.security.authentication.AuthenticationTrustResolver;
43

44
// Define your service interface
45
public interface MyRemoteService {
46
    String processRequest(String input);
47
    List<String> getDataList();
48
}
49

50
// Configure HTTP invoker proxy with authentication
51
HttpInvokerProxyFactoryBean proxy = new HttpInvokerProxyFactoryBean();
52
proxy.setServiceUrl("http://localhost:8080/remoting/MyRemoteService");
53
proxy.setServiceInterface(MyRemoteService.class);
54

55
// Add authentication support
56
AuthenticationSimpleHttpInvokerRequestExecutor executor = 
57
    new AuthenticationSimpleHttpInvokerRequestExecutor();
58
proxy.setHttpInvokerRequestExecutor(executor);
59

60
// Get the proxy instance
61
MyRemoteService service = (MyRemoteService) proxy.getObject();
62

63
// Use the service - authentication will be handled automatically
64
String result = service.processRequest("test data");
65
```
66

67
### Spring Bean Configuration
68

69
```xml
70
<!-- HTTP Invoker Proxy with Authentication -->
71
<bean id="myRemoteService" class="org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean">
72
    <property name="serviceUrl" value="http://localhost:8080/remoting/MyRemoteService"/>
73
    <property name="serviceInterface" value="com.example.MyRemoteService"/>
74
    <property name="httpInvokerRequestExecutor" ref="authHttpInvokerRequestExecutor"/>
75
</bean>
76

77
<!-- Authentication-enabled Request Executor -->
78
<bean id="authHttpInvokerRequestExecutor" 
79
      class="org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor"/>
80
```
81

82
### Custom Request Executor Extension
83

84
```java
85
import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
86
import java.net.HttpURLConnection;
87
import java.io.IOException;
88

89
public class CustomHttpInvokerRequestExecutor extends AuthenticationSimpleHttpInvokerRequestExecutor {
90
    
91
    @Override
92
    protected void doPrepareConnection(HttpURLConnection con, int contentLength) throws IOException {
93
        // Add custom headers after authentication is set up
94
        con.setRequestProperty("X-Client-Version", "1.0");
95
        con.setRequestProperty("X-Request-ID", generateRequestId());
96
        
97
        // Set custom timeout
98
        con.setConnectTimeout(5000);
99
        con.setReadTimeout(30000);
100
    }
101
    
102
    private String generateRequestId() {
103
        return "REQ-" + System.currentTimeMillis();
104
    }
105
}
106
```
107

108
### Using with Security Context
109

110
```java
111
import org.springframework.security.core.Authentication;
112
import org.springframework.security.core.context.SecurityContextHolder;
113
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
114

115
// Set up authentication in SecurityContext before making remote calls
116
Authentication auth = new UsernamePasswordAuthenticationToken("username", "password");
117
SecurityContextHolder.getContext().setAuthentication(auth);
118

119
try {
120
    // Remote call will automatically include BASIC authentication
121
    MyRemoteService service = getMyRemoteService(); // configured with AuthenticationSimpleHttpInvokerRequestExecutor
122
    String result = service.processRequest("secure data");
123
    System.out.println("Result: " + result);
124
} finally {
125
    // Clean up security context
126
    SecurityContextHolder.clearContext();
127
}
128
```
129

130
## Authentication Behavior
131

132
### Automatic Header Generation
133

134
The `AuthenticationSimpleHttpInvokerRequestExecutor` automatically:
135

136
1. **Extracts Authentication**: Gets the current Authentication from SecurityContextHolder
137
2. **Validates Credentials**: Checks that principal, credentials exist and authentication is not anonymous
138
3. **Generates Header**: Creates HTTP BASIC authentication header using format: `Basic base64(username:password)`
139
4. **Sets Request Property**: Adds `Authorization` header to the HTTP connection
140

141
### Authentication Requirements
142

143
For authentication to be applied, the SecurityContext must contain an Authentication that:
144
- Is not null
145
- Has a non-null name (principal)
146
- Has non-null credentials
147
- Is not considered anonymous by the AuthenticationTrustResolver
148

149
### Header Format
150

151
The generated Authorization header follows HTTP BASIC authentication standard:
152
```
153
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
154
```
155
Where the value after "Basic " is Base64-encoded `username:password`.
156

157
### Logging
158

159
The executor provides debug logging to help troubleshoot authentication:
160
- Successful authentication setup: Logs the Authentication details
161
- Failed authentication setup: Logs why authentication couldn't be applied
162

163
## Integration Notes
164

165
### Server-Side Configuration
166

167
The server-side HTTP invoker service exporter should be configured to handle BASIC authentication, typically through Spring Security's HTTP security configuration:
168

169
```java
170
@Configuration
171
@EnableWebSecurity
172
public class SecurityConfig {
173
    
174
    @Bean
175
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
176
        return http
177
            .authorizeHttpRequests(auth -> auth
178
                .requestMatchers("/remoting/**").authenticated()
179
                .anyRequest().permitAll()
180
            )
181
            .httpBasic(Customizer.withDefaults())
182
            .build();
183
    }
184
}
185
```
186

187
### Performance Considerations
188

189
- Authentication headers are generated for every request
190
- Base64 encoding is performed on each call
191
- Consider connection pooling for frequently used services
192
- The executor extends SimpleHttpInvokerRequestExecutor, inheriting its connection management behavior