Monday, November 29, 2010

Spring Security : Combining Basic and Form based Authentication

There are many use cases where you would want to combine both basic and form based authentication when using Spring Security. This was possible with earlier releases of Spring Security but a lot more involved. However, if you can wait for a couple of months for Spring Security 3.1.0 to be released, it can be done by defining multiple http elements in your Spring Security application context file. Multiple http elements couldn't be defined in Spring Security 3.0.X.

The use case we had was to support basic authentication for our REST services, and form based authentication for the same application with a WEB interface.

If you download the Spring Security 3.1.0 M1 release, the PDF also has an example with the same use case scenario.

Add the following http elements in your application context file, change the URL patterns accordingly and you are all set:


Isn't this so simple and easy? 

7 comments:

  1. Very simple and easy. Took me few seconds. Thanks you!

    ReplyDelete
  2. Hi,

    Do you have an example to demo combining form based and digest authentication in the same web app ? I am specifically looking for the details in configuration file i.e security.xml

    Thanks

    ReplyDelete
  3. I am pretty sure replacing http-basic element with digest should work.

    ReplyDelete
  4. Hello,

    any idea about when Spring Security 3.1 will be released ? I can't find any release date on the Spring site...

    ReplyDelete
  5. Hi,

    I have the same use case , where i want to use basic auth for a selected urls (api endpoint). But I have one restriction of using Spring 3.0.x.

    Is there any way to achieve this using 3.0.x.

    ReplyDelete
  6. hii meera i want to send some extra parameter along with username and password through spring security and then i want to obtain those extra parameters for further processin...how can i do that..i am using spring3.1

    ReplyDelete
    Replies
    1. Keshav,
      You will have to write custom handlers for those. Not sure if there is anything by default.

      Delete