Dec 2nd, 2004, 02:29 PM
mix Basic authentication and Acegi's HTTP session auth?
I'm a newbie to Acegi.
I have a web application where for a subset of the resources/urls
I would like to use the plain Basic HTTP authentication provided by the web container (without any assitance from Acegi at all), and for the rest, I would like to use Acegi's form-based HTTP session authentication (and some of its other capabilities). This is possible, right?
At first glance, this looked like a trivial thing to implement with Acegi, but I just wanted to make sure before investing more time.
Dec 2nd, 2004, 02:41 PM
This will not work. Acegi Security needs to populate its ContextHolder from a well-known location which can be either the web container OR the HttpSession. Whilst you could theoretically write something that would check both locations, I have to ask the question, why would you want to mix authentication sources like that?
If you've got a Spring application, Acegi Security gives you a portable, well-tested framework that can secure method invocations, URI patterns and domain object instances. The Servlet Spec will let you secure some URI patterns (less flexible than Acegi Security) and for the privilege you have no container portability of your authentication configuration (only your authorization configuration is portable as it's in web.xml). Both the Servlet Spec and Acegi Security provide BASIC authentication, although Acegi Security's is probably more useful as it uses Commons Logging and you can easily customise it.
I just don't know why you'd want to try to mix strategies like this, even though you probably could with a little effort.
Dec 2nd, 2004, 03:37 PM
Thanks for the quick response.
Perhaps I didn't give enough details of what exactly I was trying to achieve.
Basically, I have a web application with context name of say, "abc",
and from there I have two main paths "abc/web" for entry points into web application which is handled by Spring's DispatcherServlet and "abc/ws" for entry points into web-services managed by Apache's AxisServlet. I need to deploy this as a single application with a single context root, ie, "abc".
For the web-services interface, I need to use HTTP Basic Authentication, but for the web application part, form-based authentication, because the default authentication window that the browser pops up is not acceptable to our customers (ie, it needs to be customized). However, once username/password are delivered to the server, there are no fundamental differences between the two.
I couldn't do this using the built-in Basic and Form-based authentications supported by web container, because I don't see any way to use two different mechanisms for the same application context without rolling my own solutions all together. I thought that, with Acegi, I could achieve this easily, no?
Dec 3rd, 2004, 02:45 PM
Acegi Security can absolutely achieve your goal. The Contacts sample application in CVS does exactly this. It has web services endpoints that use BASIC authentication and standard FORM login for interactive users. The part you're most interested in is the "authentication entry point" which is defined against the SecurityEnforcementFilter. It defines what authentication mechanism to "launch" upon an AuthenticationException. In your case you'd launch the AuthenticationProcessingFilterEntryPoint, which handles FORM login. It is thus expected your web services clients know in advance to put a BASIC authentication header into their requests. Take a look at the Contacts sample application for a more thorough example.