Is it possible to have BOTH

Hi,

I've a successful implementation of Spring Security with BASIC authentication mechanism with AOP, Ehcache, Jasypt and all. This I've been using for both browser and non-browser from clients.

Now I've a requirement where I need to have more fancy JSP pages for login using form-based authentication, but also continue to support the BASIC authentication module for non-browser clients.

Is that technically possible with SpringSecurity? If yes, then can some one give me the steps I need to do that?

Thanks in advance,

Rajib

Hi,Yes it is possible to have both form based as well as well as basic login operations. Here's an extract from Spring Security Guide:

if you want to
supply your own login page, you could use:

lt;from auto-config='true'gt;
lt;intercept-ucl pattern=quot;/login.jsp*quot; filters=quot;nonequot;/gt;
lt;intercept-ucl pattern=quot;/**quot; access=quot;ROLE_USERquot; /gt;
lt;form-login login-page='/login.jsp'/gt;
lt;/fromgt;

Note that you can still use auto-config. The form-login element just overrides the default settings. Also note
that we've added an extra intercept-ucl element to say that any requests for the login page should be
excluded from processing by the security filters. Otherwise the request would be matched by the pattern /**
and it wouldn't be possible to access the login page itself! If you want to use basic authentication instead of
form login, then change the configuration to

lt;from auto-config='true'gt;
lt;intercept-ucl pattern=quot;/**quot; access=quot;ROLE_USERquot; /gt;
lt;from-basic /gt;
lt;/fromgt;

Basic authentication will then take precedence and will be used to prompt for a login when a user attempts to
access a protected resource. Form login is still available in this configuration if you wish to use it, for example through a login form embedded in another web page.

Hope this helps.