Handling both form and HTTP basic authentication with different sources

Question

I already have form login and Basic auth working side by side with the help of a DelegatingAuthenticationEntryPoint.

What I\'m trying to do is have users coming thru

Answer 1

With SpringSecurity (3.2.3.RELEASE) work fine form as well as basic auth:

<http pattern="/resources/**" security="none"/>
<http pattern="/webjars/**" security="none"/>

<http pattern="/rest/**" create-session="stateless" use-expressions="true">
    <intercept-url pattern="/**" access="isFullyAuthenticated()"/>
    <http-basic />
</http>

<http auto-config="true" use-expressions="true">
    <http-basic/>
    <intercept-url pattern="/login" access="permitAll"/>
    <intercept-url pattern="/loginfailed" access="permitAll"/>
    <intercept-url pattern="/logout" access="permitAll"/>

    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')"/>
    <intercept-url pattern="/**" access="isAuthenticated()"/>
    <form-login login-page="/login" default-target-url="/" authentication-failure-url="/loginfailed"/>
    <logout logout-success-url="/logout"/>
    <remember-me user-service-ref="userService"/>
</http>

<authentication-manager>
    <authentication-provider user-service-ref="userService">
<!--
        <jdbc-user-service data-source-ref="dataSource"
                           users-by-username-query="SELECT email, password, enabled FROM users WHERE email = ?"
                           authorities-by-username-query="
                                       SELECT u.email, r.name FROM users u, roles r WHERE u.id = r.user_id and u.email = ?"/>
-->
<!--
        <user-service>
            <user name="mail@yandex.ru" password="password" authorities="ROLE_USER"/>
            <user name="admin@gmail.com" password="admin" authorities="ROLE_ADMIN"/>
        </user-service>
-->
    </authentication-provider>
</authentication-manager>

Answer 2

Depending on your app and whether you're using Spring Security 3.1, you might be best to split the configuration into multiple filter chains, each with a separate authentication manager defined:

<http pattern="/rest_api/**" create-session="stateless"
    authentication-manager-ref="serviceCredsAuthMgr">
    <http-basic />
</http>

<http authentication-manager-ref="mainAuthMgr">
    <form-login />
</http>

<authentication-manager id="serviceCredsAuthMgr">
    <authentication-provider user-service-ref="serviceCredsUserDetailsSvc" />
</authentication-manager>

<authentication-manager id="mainAuthMgr">
    <!-- whatever -->
</authentication-manager>

Instead of the pattern attribute you can also use the request-matcher-ref attribute to specify a RequestMatcher instance which will be used to map incoming requests to a particular filter chain. This has a very simple interface, but can allow you to match based on something other than the URL path, such as the Accept header.