may i know can we specify url for http-basic so that only authenticate if go to particular page? example login.jsp ? i do not want to use form login.
+1
A:
You can do it by configuration of your web application, whether you are using spring or not.
Configuring Security in Web Applications
The resources on wich you are going to apply the security constraint are specified at the "security-constrant" element of the web.xml deployment descriptor. By example:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureOrdersEast</web-resource-name>
<description>
Security constraint for
resources in the orders/east directory
</description>
<url-pattern>/orders/east/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>
constraint for east coast sales
</description>
<role-name>east</role-name>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
And, to define the Auth method as BASIC, you have to define it also at the web.xml file, in a login-config element:
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
At the login-config you can also define the login realm, and other options. You can find more information at web.xml Deployment Descriptor Elements: login-config.
Tomas Narros
2010-09-21 11:11:31
no i want to use spring approach which is <security:http-basic />
cometta
2010-09-21 13:29:51
@cometta: sorry, it wasn't very clear at the original question
Tomas Narros
2010-09-21 13:56:55
+1
A:
The Spring approach:
<security:http>
<security:http-basic></security:http-basic>
<security:intercept-url method="POST" pattern="/mypage.jsp" access="ROLE_USER" />
</security:http>
As you see, at the intercept-url element you can define the resources under access control. It has an attribute pattern where you can define the url pattern (admiting wildcards) of such resources.
Tomas Narros
2010-09-21 14:01:12
is it possible to define url=login.jsp do formlogin; url=login2.jsp , do http-basic login ?
cometta
2010-09-21 14:38:14
Yes, from Spring Security 3.1 you can add the "pattern" attribute to the http element, and this configuration will just apply to the matching urls
Tomas Narros
2010-09-21 16:35:50
+1
A:
Instead of using <security:http-basic>, you could define your own filters and use appropriately. For instance
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain pattern="/login.jsp" filters="formExceptionTranslationFilter"/>
<security:filter-chain pattern="/login2.jsp" filters="basicProcessingFilter"/>
</security:filter-chain-map>
</bean>
Raghuram
2010-09-23 12:28:02