1

I have a pretty standard existing webapp using spring security that requires a database-backed form login for user-specific paths (such as /user/**), and some completely open and public paths (such as /index.html).

However, as this webapp is still under development, I'd like to add a http-basic popup across all paths (/**) to add some privacy. Therefore, I'm trying to add a http-basic popup that asks for a universal user/pass combo (ex admin/foo) that would be required to view any path, but then still keep intact all of the other underlying authentication mechanisms.

I can't really do anything with the <http> tag, since that will confuse the "keep out the nosy crawlers" authentication with the "user login" authentication, and I'm not seeing any way to associate different paths with different authentication mechanisms.

Is there some way to do this with spring security? Alternatively, is there some kind of a dead simple filter that I can apply independently of spring-security's authentication mechanisms?

Improve this question

3 Answers 3

Reset to default
1

Or you can check out the upcoming spring security 3.1 (which is currently 3.1.0.M2), which supports multiple namespace elements.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Yes, you can use multiple authentication filters in Spring Security. However, the best way I have found is to omit the <http> element of the Spring Security namespace and instead use the normal Spring Bean notation.

Specifying all the Spring Security beans 'by hand' brings you the needed flexibility to control the intercepted URLs and which filters will fire for which URL patterns.

The downside is that it requires specifying a lot of extra bean definitions, many of them are not as readable as the namespace-variant of course.

Improve this answer

1 Comment

I didn't know you could do it without the http tag - this would be a much better long term solution, but in my case I just needed a quick hack to avoid the additional complexity you describe. I'll stick with my solution, but your answer is better :D
0

I just ended up using a basic filter before spring security, as outlined here:

http://joomla.jcalfee.info/contact/2-java-authentication-filter

this works as a good temporary hack

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.