CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-org-springframework-security--spring-security-remoting

Spring Security Remoting provides security services for remote method invocation in distributed Spring applications including RMI context propagation, HTTP invoker authentication, and DNS resolution utilities.

Pending
Overview
Eval results
Files

http-invoker-auth.mddocs/

HTTP Invoker Authentication

BASIC authentication support for Spring's HTTP invoker remoting. Automatically extracts credentials from SecurityContextHolder and adds them as HTTP BASIC authentication headers to remote method calls.

Deprecation Notice: HTTP invoker authentication APIs are deprecated as of Spring Security 5.6.0 with no replacement.

Capabilities

Authentication HTTP Invoker Request Executor

Extends Spring's SimpleHttpInvokerRequestExecutor to add BASIC authentication support using credentials from the current SecurityContext.

public class AuthenticationSimpleHttpInvokerRequestExecutor extends SimpleHttpInvokerRequestExecutor {
    /**
     * Called every time a HTTP invocation is made.
     * Sets up the connection and adds an Authorization HTTP header for BASIC authentication.
     * Uses SecurityContextHolder to obtain the relevant principal and credentials.
     * @param con the HTTP connection to prepare
     * @param contentLength the length of the content to send
     * @throws IOException if thrown by HttpURLConnection methods
     */
    protected void prepareConnection(HttpURLConnection con, int contentLength) throws IOException;

    /**
     * Extension point for subclasses to perform additional configuration.
     * Called after authentication headers are set.
     * @param con the HTTP connection to prepare
     * @param contentLength the length of the content to send
     * @throws IOException if thrown by HttpURLConnection methods
     */
    protected void doPrepareConnection(HttpURLConnection con, int contentLength) throws IOException;
}

Usage Examples

Basic HTTP Invoker Configuration

import org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean;
import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
import org.springframework.security.authentication.AuthenticationTrustResolver;

// Define your service interface
public interface MyRemoteService {
    String processRequest(String input);
    List<String> getDataList();
}

// Configure HTTP invoker proxy with authentication
HttpInvokerProxyFactoryBean proxy = new HttpInvokerProxyFactoryBean();
proxy.setServiceUrl("http://localhost:8080/remoting/MyRemoteService");
proxy.setServiceInterface(MyRemoteService.class);

// Add authentication support
AuthenticationSimpleHttpInvokerRequestExecutor executor = 
    new AuthenticationSimpleHttpInvokerRequestExecutor();
proxy.setHttpInvokerRequestExecutor(executor);

// Get the proxy instance
MyRemoteService service = (MyRemoteService) proxy.getObject();

// Use the service - authentication will be handled automatically
String result = service.processRequest("test data");

Spring Bean Configuration

<!-- HTTP Invoker Proxy with Authentication -->
<bean id="myRemoteService" class="org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean">
    <property name="serviceUrl" value="http://localhost:8080/remoting/MyRemoteService"/>
    <property name="serviceInterface" value="com.example.MyRemoteService"/>
    <property name="httpInvokerRequestExecutor" ref="authHttpInvokerRequestExecutor"/>
</bean>

<!-- Authentication-enabled Request Executor -->
<bean id="authHttpInvokerRequestExecutor" 
      class="org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor"/>

Custom Request Executor Extension

import org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor;
import java.net.HttpURLConnection;
import java.io.IOException;

public class CustomHttpInvokerRequestExecutor extends AuthenticationSimpleHttpInvokerRequestExecutor {
    
    @Override
    protected void doPrepareConnection(HttpURLConnection con, int contentLength) throws IOException {
        // Add custom headers after authentication is set up
        con.setRequestProperty("X-Client-Version", "1.0");
        con.setRequestProperty("X-Request-ID", generateRequestId());
        
        // Set custom timeout
        con.setConnectTimeout(5000);
        con.setReadTimeout(30000);
    }
    
    private String generateRequestId() {
        return "REQ-" + System.currentTimeMillis();
    }
}

Using with Security Context

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

// Set up authentication in SecurityContext before making remote calls
Authentication auth = new UsernamePasswordAuthenticationToken("username", "password");
SecurityContextHolder.getContext().setAuthentication(auth);

try {
    // Remote call will automatically include BASIC authentication
    MyRemoteService service = getMyRemoteService(); // configured with AuthenticationSimpleHttpInvokerRequestExecutor
    String result = service.processRequest("secure data");
    System.out.println("Result: " + result);
} finally {
    // Clean up security context
    SecurityContextHolder.clearContext();
}

Authentication Behavior

Automatic Header Generation

The AuthenticationSimpleHttpInvokerRequestExecutor automatically:

  1. Extracts Authentication: Gets the current Authentication from SecurityContextHolder
  2. Validates Credentials: Checks that principal, credentials exist and authentication is not anonymous
  3. Generates Header: Creates HTTP BASIC authentication header using format: Basic base64(username:password)
  4. Sets Request Property: Adds Authorization header to the HTTP connection

Authentication Requirements

For authentication to be applied, the SecurityContext must contain an Authentication that:

  • Is not null
  • Has a non-null name (principal)
  • Has non-null credentials
  • Is not considered anonymous by the AuthenticationTrustResolver

Header Format

The generated Authorization header follows HTTP BASIC authentication standard:

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Where the value after "Basic " is Base64-encoded username:password.

Logging

The executor provides debug logging to help troubleshoot authentication:

  • Successful authentication setup: Logs the Authentication details
  • Failed authentication setup: Logs why authentication couldn't be applied

Integration Notes

Server-Side Configuration

The server-side HTTP invoker service exporter should be configured to handle BASIC authentication, typically through Spring Security's HTTP security configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/remoting/**").authenticated()
                .anyRequest().permitAll()
            )
            .httpBasic(Customizer.withDefaults())
            .build();
    }
}

Performance Considerations

  • Authentication headers are generated for every request
  • Base64 encoding is performed on each call
  • Consider connection pooling for frequently used services
  • The executor extends SimpleHttpInvokerRequestExecutor, inheriting its connection management behavior

Install with Tessl CLI

npx tessl i tessl/maven-org-springframework-security--spring-security-remoting

docs

dns-resolution.md

http-invoker-auth.md

index.md

rmi-context-propagation.md

tile.json