I would like to have both form and basic authentication.
If the request comes like https://username:[email protected]/ basic authentication is used. If the request comes like https://mysite.com form authentication is used.
Is that possible?
A:
I've just watched presentation on Spring Security by Ben Alex.
Basically, his small application uses form authentication, but, if you follow the link, scroll to '29:00' where he talks about Basic Authentication being supported out of the box.
Alexander Pogrebnyak
2010-06-17 15:37:21
+1
A:
Yes, this is possible.
Assuming you are using namespace configuration, this is really pretty easy. By default, they are both enabled if you use auto config on the http element. See section 2.2 of the springsecurity3 reference docs. You can set a custom realm for the basic auth by using the realm attribute on the http element. Both form and basic auth will use whatever authentication-provider is configured.
If you aren't using auto config on the http element, you just need to add an <http-basic /> tag as a child to the http element to enable basic auth. Odds are good you aren't interested in the default config for the form authentication, so that tag can be a little more complicated.
Mine looks like this:
<form-login login-page="/login.html"
default-target-url="/home.html" always-use-default-target="true"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler"
login-processing-url="/j_spring_security_check" />
Obviously, it is necessary to allow anonymous access to the /login.html path. That page needs to render a form which submits to /j_spring_security_check, which the filter will intercept, find the username and password, and authenticate against the authentication provider which is configured. If you dig into the rest of the namespace, you'll find it is possible to override the names of the fields, etc.
I'm not sure if spring always defaults to using form auth unless an Authorization header is supplied in the request and it is lacking a valid username/password pair, or if it defaults to the first filter or the last, or what. But experimentation should allow you to figure that out easily enough. Looking at the last section of chapter 8 and the first of chapter 9, it looks as though it will send all unauthenticated users to the form entry point unless there is an Authorization header in the request, in which case, a failure to authenticate will result in a basic auth required response to the client. Chapters 8 and 9 are also where you'll look if you want to manually configure everything instead of using the namespace.
The authentication-success-handler and authentication-failure-handler must implement the AuthenticationSuccessHandler and AuthenticationFailureHandler and allow you to customize how the filter will respond to successful and failed authentication attempts. They are not required.