*
The moose likes Spring and the fly likes Basic-Auth plus Form-Login based authentication in Spring 3 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Basic-Auth plus Form-Login based authentication in Spring 3" Watch "Basic-Auth plus Form-Login based authentication in Spring 3" New topic
Author

Basic-Auth plus Form-Login based authentication in Spring 3

Kingsly Theodar
Greenhorn

Joined: Feb 21, 2004
Posts: 19
Hi Peter,

For web application security, does Spring 3 allow Basic authentication followed by Form-login based authentication? If so, is it explained in your book? It would be great if you could mention how.

Thanks,
Kingsly
Peter Mularien
Author
Ranch Hand

Joined: Sep 06, 2007
Posts: 84
Hello Kingsly,

Although we don't cover this in the book, it is possible to accomplish this, although it requires some manual configuration. The typical scenario where you would want this is for AJAX calls or the like, which can supply basic authentication credentials as part of the request. If credentials aren't passed, you want form-based authentication to take over. Unfortunately, if you use the namespace (<security:http>) style of configuration for basic authentication, it forces the user into basic authentication and doesn't redirect to the login page (because typically a browser request for basic authentication is triggered by the server sending a particular HTTP header, rather than a redirect to the login form. There are actually some good examples on the net where this is illustrated!

The other scenario is where you want to enable different methods of authentication for different URL paths on your site (for example /ajax would use basic auth, while everything else would use forms) - this would typically be done through explicit bean-based configuration of Spring Security, and manual selection of different filter chains for different URL patterns. We do cover all the configuration required for this in the book, although we don't cover the use of basic authentication specifically, we provide enough detail on other, similar authentication methods that if you have access to the source code, you shouldn't have a hard time figuring out what you need to do.

Hope this answers your question!

Best
Peter


Author, Spring Security 3 (the Book), Packt Publishing, 2010
SCJP, OCP
 
jQuery in Action, 2nd edition
 
subject: Basic-Auth plus Form-Login based authentication in Spring 3