• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
  • Mikalai Zaikin

Basic-Auth plus Form-Login based authentication in Spring 3

Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Peter,

For web application security, does Spring 3 allow Basic authentication followed by Form-login based authentication? If so, is it explained in your book? It would be great if you could mention how.

Posts: 84
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Kingsly,

Although we don't cover this in the book, it is possible to accomplish this, although it requires some manual configuration. The typical scenario where you would want this is for AJAX calls or the like, which can supply basic authentication credentials as part of the request. If credentials aren't passed, you want form-based authentication to take over. Unfortunately, if you use the namespace (<security:http>) style of configuration for basic authentication, it forces the user into basic authentication and doesn't redirect to the login page (because typically a browser request for basic authentication is triggered by the server sending a particular HTTP header, rather than a redirect to the login form. There are actually some good examples on the net where this is illustrated!

The other scenario is where you want to enable different methods of authentication for different URL paths on your site (for example /ajax would use basic auth, while everything else would use forms) - this would typically be done through explicit bean-based configuration of Spring Security, and manual selection of different filter chains for different URL patterns. We do cover all the configuration required for this in the book, although we don't cover the use of basic authentication specifically, we provide enough detail on other, similar authentication methods that if you have access to the source code, you shouldn't have a hard time figuring out what you need to do.

Hope this answers your question!

The harder I work, the luckier I get. -Sam Goldwyn So tiny. - this ad:
a bit of art, as a gift, the permaculture playing cards
    Bookmark Topic Watch Topic
  • New Topic