How to implement different ways of authentication

[SamFisher]

Hi,

I'm using the current release of spring (3.0.5) ans spring security for my webapplication.
The application can be called from two different ways:
1. PreAuthenticatedAuthenticationProvider: the request contains an "iv-user" parameter with the username of the current user (already authenticated by another application) - this way works fine.
2. Webservice call: until now this call was not secured and workes also fine, but from now the security should be handled by spring security using basic authentication.

I don't know how to configure spring security in the server application depending on the URI. I've already tried this:

Code:

<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy" >
	  <filter-chain-map path-type="ant">
	     <filter-chain pattern="/pages/**" filters="
	        preAuthenticatedProcessingFilter,
	        exceptionTranslationFilter,
         	filterSecurityInterceptor" />
	     <filter-chain pattern="/webservice/**" filters="
			basicAuthenticationFilter,
			filterSecurityInterceptor"/>
	  </filter-chain-map>
	</beans:bean>

But I don't know how to proceed, to secure the webservice with basic authentication, e.g where to define the username and password.


Thanks for your help,
Sam

[skram]

A follow-up question.

For the web service, are you using REST-based or SOAP-based? For SOAP (which I assume you do), you should use WS-Security or create a custom username tokens in the SOAP header.