Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Basic-Auth plus Form-Login based authentication in Spring 3

 
Kingsly Theodar
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Peter,

For web application security, does Spring 3 allow Basic authentication followed by Form-login based authentication? If so, is it explained in your book? It would be great if you could mention how.

Thanks,
Kingsly
 
Peter Mularien
Author
Ranch Hand
Posts: 84
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Kingsly,

Although we don't cover this in the book, it is possible to accomplish this, although it requires some manual configuration. The typical scenario where you would want this is for AJAX calls or the like, which can supply basic authentication credentials as part of the request. If credentials aren't passed, you want form-based authentication to take over. Unfortunately, if you use the namespace (<security:http>) style of configuration for basic authentication, it forces the user into basic authentication and doesn't redirect to the login page (because typically a browser request for basic authentication is triggered by the server sending a particular HTTP header, rather than a redirect to the login form. There are actually some good examples on the net where this is illustrated!

The other scenario is where you want to enable different methods of authentication for different URL paths on your site (for example /ajax would use basic auth, while everything else would use forms) - this would typically be done through explicit bean-based configuration of Spring Security, and manual selection of different filter chains for different URL patterns. We do cover all the configuration required for this in the book, although we don't cover the use of basic authentication specifically, we provide enough detail on other, similar authentication methods that if you have access to the source code, you shouldn't have a hard time figuring out what you need to do.

Hope this answers your question!

Best
Peter
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic