Announcement Announcement Module
No announcement yet.
Multiple Auth Methods Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple Auth Methods


    I have a REST api with Basic Authentication:

    	<security:http create-session="stateless" security="none" pattern="/api/users" />
    	<security:http create-session="stateless" security="none" pattern="/api/users/me" />  
            <security:http create-session="stateless" entry-point-ref="basicAuthenticationEntryPoint" pattern="/api/users/**">
    		<security:http-basic />
    		<security:intercept-url pattern="/api/users/*" access="ROLE_USER" />
    	<security:http create-session="stateless" entry-point-ref="basicAuthenticationEntryPoint" pattern="/api/**" use-expressions="true">
    		<security:http-basic />
    		<security:intercept-url pattern="/api/**" access="hasAnyRole('ROLE_USER')" method="POST" /> 
    		<security:intercept-url pattern="/api/**" access="hasAnyRole('ROLE_USER')" method="DELETE"/>
    		<security:intercept-url pattern="/api/**" access="hasAnyRole('ROLE_USER')" method="PUT" />
    		<security:intercept-url pattern="/api/**" access="hasAnyRole('ROLE_USER','ROLE_ANONYMOUS')" method="GET" />
    	<bean id="basicAuthenticationEntryPoint" class="">
    		<property name="realmName" value="mercuryRealm" />
    		<security:authentication-provider user-service-ref="userDetailsService">
    			<security:password-encoder ref="bcryptPasswordEncoder" />
    In each request I send a HEADER BASIC and the userassword in base64.

    Now, I want to add a new CustomToken Authentication, sending token:XXXX in the header, and validate this token in a Custom Filter.

    How I can do that,

    I want to support the two authentication methods (Basic and Custom Token) but I don't found this case...

    Thanks a lot!

  • #2
    Start by creating your custom filter. You can take a look at the BasicAuthenticationFilter as an example. Note you can validate the token anyway you want (you don't need to use the AuthenticationManager if you don't want to). The important thing is that you set an Authentication object on the SecurityContextHolder as is done in the BasicAuthenticationFilter. Once you have implemented your filter you will need to insert it using the <security:custom-filter> tag.