Announcement Announcement Module
Collapse
No announcement yet.
use form-login by default but http-basic for rest urls Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • use form-login by default but http-basic for rest urls

    I would like to use form-login for my html pages, but http-basic for my rest endpoints.

    Code:
    <http auto-config="true" use-expressions="true">
       <!-- form-login required by default -->
       <intercept-url pattern="/app/**" access="hasRole('ROLE_USER')"   />
       <!-- http-basic required for the createPdf service -->
       <intercept-url pattern="/app/createPdf" access="hasRole('ROLE_USER')"  />
    </http>
    How can I do this in spring security 3?

    Many thanks,

    Chris

  • #2
    Did you try searching the forums? This question has been addressed a number of times.

    Regards,

    Comment


    • #3
      Thanks for the response.

      I only just started with spring security yesterday, so I think I'm going to have to do a lot more reading for this to all make sense...

      Looking through the link you sent me, I'm not sure I would be comfortable deciding the type of service (i.e. rest or web) based on user-agent. For most apps, wouldn't it make more sense to inspect the target url pattern?

      Many thanks,

      Chris

      Comment


      • #4
        It really depends on your application/requirements, but I agree that in most cases looking at the URL pattern probably makes more sense.

        Cheers,

        Comment


        • #5
          Hi Rob,

          How can I modify the DelegatingAuthenticationEntryPoint example to make it's decisions based on the target url pattern?

          Many thanks,

          Chris

          Comment


          • #6
            The map key to DelegatingAuthenticationEntryPoint will be a reference to the RequestMatcher instead of a String (the String way of creating a RequestMatcher cannot match on the path). More specifically...write a RequestMatcher that matches based upon the logic you want. You will also need an entry point for your Restful service (my example implies returning a 401, but you can do whatever you want). Below is psedocode:

            Code:
            public class UrlRequestMatcher implements RequestMatcher {
              // see DefaultFilterInvocationSecurityMetadataSource 
              // for example on how to use UrlMatcher
              private UrlMatcher matcher;
            
              ... implement the method for RequestMatcher
            }
            
            public class Http401EntryPoint implements AuthenticationEntryPoint {
             ... implement the methods
            }
            Wire it up. Below is psedo config:

            Code:
            <sec:http ... entry-point-ref="entryPoint">
             ...
            </sec:http>
            	
            <bean id="entryPoint" class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
              <constructor-arg>
                <map>
                  <!-- add as many entries as you need -->				
                  <entry>
                    <key>
                      <bean class="org.example.UrlRequestMatcher"/>
                    </key>
                    <bean class="org.example.Http401EntryPoint"/>
                  </entry>
                </map>
              </constructor-arg>
              <property name="defaultEntryPoint">
                <!-- if its not a restful url do regular login -->
                <bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" p:loginFormUrl="/login"/>
              </property>	
            </bean>
            Cheers,

            Comment


            • #7
              If I previously had the following attributes set for form-login, how can I set these when using LoginUrlAuthenticationEntryPoint?

              <form-login login-page="/login" login-processing-url="/login/submit" authentication-failure-url="/login/error" />
              <logout logout-url="/logout" />

              Many thanks in advance,

              Chris

              Comment


              • #8
                Take a look at my example (it is almost exactly what you need). If that doesn't help check out the FAQ.

                Comment

                Working...
                X