I have an authentication requirement that goes like this - At runtime, when client makes unauthenticated request to the resources, I check the IP address of the client. Based on some runtime criteria that takes IP address into consideration, it decides whether to use form-based login or Basic authentication, and responds to the client's request accordingly.

I've spent some time looking at Spring Security, but out-of-the box, I could set it up to do either form-login or Basic authentication but not both. Can anyone please point me in the right direction as to where and how I should hook in or extend the base classes in order to be able to do something like this?

Thanks for any information.