my dog learned polymorphism
The moose likes Spring and the fly likes Basic-Auth plus Form-Login based authentication in Spring 3 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Basic-Auth plus Form-Login based authentication in Spring 3" Watch "Basic-Auth plus Form-Login based authentication in Spring 3" New topic

Basic-Auth plus Form-Login based authentication in Spring 3

Kingsly Theodar

Joined: Feb 21, 2004
Posts: 19
Hi Peter,

For web application security, does Spring 3 allow Basic authentication followed by Form-login based authentication? If so, is it explained in your book? It would be great if you could mention how.

Peter Mularien
Ranch Hand

Joined: Sep 06, 2007
Posts: 84
Hello Kingsly,

Although we don't cover this in the book, it is possible to accomplish this, although it requires some manual configuration. The typical scenario where you would want this is for AJAX calls or the like, which can supply basic authentication credentials as part of the request. If credentials aren't passed, you want form-based authentication to take over. Unfortunately, if you use the namespace (<security:http>) style of configuration for basic authentication, it forces the user into basic authentication and doesn't redirect to the login page (because typically a browser request for basic authentication is triggered by the server sending a particular HTTP header, rather than a redirect to the login form. There are actually some good examples on the net where this is illustrated!

The other scenario is where you want to enable different methods of authentication for different URL paths on your site (for example /ajax would use basic auth, while everything else would use forms) - this would typically be done through explicit bean-based configuration of Spring Security, and manual selection of different filter chains for different URL patterns. We do cover all the configuration required for this in the book, although we don't cover the use of basic authentication specifically, we provide enough detail on other, similar authentication methods that if you have access to the source code, you shouldn't have a hard time figuring out what you need to do.

Hope this answers your question!


Author, Spring Security 3 (the Book), Packt Publishing, 2010
I agree. Here's the link:
subject: Basic-Auth plus Form-Login based authentication in Spring 3
jQuery in Action, 3rd edition