use form-login by default but http-basic for rest urls

**snowch** · Oct 3rd, 2010, 02:15 PM

I would like to use form-login for my html pages, but http-basic for my rest endpoints.

Code:

<http auto-config="true" use-expressions="true">
   <!-- form-login required by default -->
   <intercept-url pattern="/app/**" access="hasRole('ROLE_USER')"   />
   <!-- http-basic required for the createPdf service -->
   <intercept-url pattern="/app/createPdf" access="hasRole('ROLE_USER')"  />
</http>

How can I do this in spring security 3?

Many thanks,

Chris

**Rob Winch** · Oct 4th, 2010, 08:37 AM

Did you try searching the forums? This question has been addressed a number of times.

Regards,

**snowch** · Oct 4th, 2010, 04:33 PM

Thanks for the response.

I only just started with spring security yesterday, so I think I'm going to have to do a lot more reading for this to all make sense...

Looking through the link you sent me, I'm not sure I would be comfortable deciding the type of service (i.e. rest or web) based on user-agent. For most apps, wouldn't it make more sense to inspect the target url pattern?

Many thanks,

Chris

**Rob Winch** · Oct 4th, 2010, 04:47 PM

It really depends on your application/requirements, but I agree that in most cases looking at the URL pattern probably makes more sense.

Cheers,

**snowch** · Oct 4th, 2010, 09:35 PM

Hi Rob,

How can I modify the DelegatingAuthenticationEntryPoint example to make it's decisions based on the target url pattern?

Many thanks,

Chris

**Rob Winch** · Oct 4th, 2010, 10:05 PM

The map key to DelegatingAuthenticationEntryPoint will be a reference to the RequestMatcher instead of a String (the String way of creating a RequestMatcher cannot match on the path). More specifically...write a RequestMatcher that matches based upon the logic you want. You will also need an entry point for your Restful service (my example implies returning a 401, but you can do whatever you want). Below is psedocode:

Code:

public class UrlRequestMatcher implements RequestMatcher {
  // see DefaultFilterInvocationSecurityMetadataSource 
  // for example on how to use UrlMatcher
  private UrlMatcher matcher;

  ... implement the method for RequestMatcher
}

public class Http401EntryPoint implements AuthenticationEntryPoint {
 ... implement the methods
}

Wire it up. Below is psedo config:

Code:

<sec:http ... entry-point-ref="entryPoint">
 ...
</sec:http>
	
<bean id="entryPoint" class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
  <constructor-arg>
    <map>
      <!-- add as many entries as you need -->				
      <entry>
        <key>
          <bean class="org.example.UrlRequestMatcher"/>
        </key>
        <bean class="org.example.Http401EntryPoint"/>
      </entry>
    </map>
  </constructor-arg>
  <property name="defaultEntryPoint">
    <!-- if its not a restful url do regular login -->
    <bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" p:loginFormUrl="/login"/>
  </property>	
</bean>

Cheers,

**snowch** · Oct 18th, 2010, 05:35 PM

If I previously had the following attributes set for form-login, how can I set these when using LoginUrlAuthenticationEntryPoint?

<form-login login-page="/login" login-processing-url="/login/submit" authentication-failure-url="/login/error" />
<logout logout-url="/logout" />

Many thanks in advance,

Chris

**Rob Winch** · Oct 18th, 2010, 08:52 PM

Take a look at my example (it is almost exactly what you need). If that doesn't help check out the FAQ.

Thread: use form-login by default but http-basic for rest urls

Thread Tools

Display

use form-login by default but http-basic for rest urls

Posting Permissions