use both http-basic and form-login ?

**muncher** · Sep 8th, 2010, 04:31 PM

It seems I have to use only either of those. Basically, I would want to divide my app as two apps. One is solely the js/html and the other is restful api.

Any suggestions ? With the current mechanism I am able to enforce either of form-login or http-basic.

**muncher** · Sep 8th, 2010, 06:45 PM

one way I could think of -
1. deploy the html/js app on apache http server which in turn redirects to the spring based services configured with http-basic.
What this does is, I can still be able to access restful api say using curl library as well as access by form-login mechanism ? Can some one shed more light on this kind of alternative or mechanism or better architecture ?

But the question is, how do I transform or maintain credentials ? Is it going to authenticate the http server or the user ?

**Rob Winch** · Sep 8th, 2010, 07:59 PM

Are you having a specific problem implementing this? I'm not sure I understand your requirements, but I am assuming the only difference is that the RESTful services will use basic authentication and the web application will use a form based login. If this is not the case, can you please clarify?

Spring supports both basic and form based login at the same time (see the namespace section of the reference for easy setup). The only thing that may complicate things is that when using both the response when not authenticated to your services will be a login page. To fix this I would create an instance of the DelegatingAuthenticationEntryPoint. The instance would have a matcher that finds any request that matches a service call and delegates to BasicAuthenticationEntryPoint. Otherwise it would delegate to LoginUrlAuthenticationEntryPoint.

**muncher** · Sep 9th, 2010, 10:52 AM

Ok. Here was the original config I had used -

Code:

<http auto-config='true' path-type="regex">
		
		<intercept-url pattern=".*" access="ROLE_USER" />
		<form-login login-page="${login.page}" default-target-url="${login.default-target-url}" />		
		<logout logout-success-url="${logout.success-url}" />
                       <http-basic/> 
	</http>

So, what this does is, form-login takes precedence over the http-basic authentication. Whenever a simple request using say poster with auth parameters, is sent, it comes back with a login form.

I changed it to the following -

Code:


<beans:bean id="basicAuthenticationFilter"
  class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
  <beans:property name="authenticationManager" ref="authenticationManager"/>
  <beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
</beans:bean>

<beans:bean id="authenticationEntryPoint"
  class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
  <beans:property name="realmName" value="myApp"/>
</beans:bean>
....
....
<http auto-config='false' path-type="regex">
		
		<intercept-url pattern=".*" access="ROLE_USER" />
		<form-login login-page="${login.page}" default-target-url="${login.default-target-url}" />		
		<logout logout-success-url="${logout.success-url}" />
                       <http-basic/> 
	</http>

As far as I rememb, reading docs, the precedence of the above authenticationfilter was to be set above form-login. However, it seems that was for spring security 2.x. For 3.x it is automatically taken care of (?) !

**Rob Winch** · Sep 9th, 2010, 11:05 AM

You are correct that when using basic authentication and form based login that the login form will be displayed for unauthenticated users. This is what I was describing in the "only thing that may complicate things" section of my response.

The configuration appears to be a start at what I had described, but you still need to create a DelegatingAuthenticationEntryPoint and then reference it using entry-point-ref in the http block.

PS: You don't need to specify auto-config="false" as this is the default.

**muncher** · Sep 10th, 2010, 01:37 PM

Ok, getting closer. However, reading docs I am not sure, how do I specify to filter out the GET, PUT, POST request ?

i mean the delegatingauthenticationentrypoint would go like this -

Code:

 <bean id="daep" class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
     <constructor-arg>
         <map>
             <entry key="hasIpAddress('192.168.1.0/24') and hasHeader('User-Agent','Mozilla')" value-ref="firstAEP" />
             <entry key="hasHeader('User-Agent','MSIE')" value-ref="secondAEP" />
         </map>
     </constructor-arg>
     <property name="defaultEntryPoint" ref="defaultAEP"/>
 </bean>

do the url filtering go still in the intercept-url portion ? So how does the framework figure out whether to dispatch a form or the http status code for invalid credentials ?

**muncher** · Sep 10th, 2010, 01:38 PM

Originally Posted by rwinch

You are correct that when using basic authentication and form based login that the login form will be displayed for unauthenticated users. This is what I was describing in the "only thing that may complicate things" section of my response.

The configuration appears to be a start at what I had described, but you still need to create a DelegatingAuthenticationEntryPoint and then reference it using entry-point-ref in the http block.

PS: You don't need to specify auto-config="false" as this is the default.

by http block you meant http-basic block ?

Thread: use both http-basic and form-login ?

Thread Tools

Display

Hybrid View

use both http-basic and form-login ?

Posting Permissions