65 lines
3.3 KiB
XML
65 lines
3.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.docbook.org/xml/4.4/docbookx.dtd">
|
|
|
|
|
|
<chapter id="basic">
|
|
<title>BASIC Authentication Mechanism</title>
|
|
|
|
<sect1 id="basic-overview">
|
|
<title>Overview</title>
|
|
|
|
<para>Spring Security provides a
|
|
<literal>BasicProcessingFilter</literal> which is capable of
|
|
processing basic authentication credentials presented in HTTP headers.
|
|
This can be used for authenticating calls made by Spring remoting
|
|
protocols (such as Hessian and Burlap), as well as normal user agents
|
|
(such as Internet Explorer and Navigator). The standard governing HTTP
|
|
Basic Authentication is defined by RFC 1945, Section 11, and the
|
|
<literal>BasicProcessingFilter</literal> conforms with this RFC. Basic
|
|
Authentication is an attractive approach to authentication, because it
|
|
is very widely deployed in user agents and implementation is extremely
|
|
simple (it's just a Base64 encoding of the username:password,
|
|
specified in an HTTP header).</para>
|
|
</sect1>
|
|
|
|
<sect1 id="basic-config">
|
|
<title>Configuration</title>
|
|
|
|
<para>To implement HTTP Basic Authentication, it is necessary to
|
|
define <literal>BasicProcessingFilter</literal> in the filter chain.
|
|
The application context will need to define the
|
|
<literal>BasicProcessingFilter</literal> and its required
|
|
collaborator:</para>
|
|
|
|
<para><programlisting>
|
|
<bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property>
|
|
</bean>
|
|
|
|
<bean id="authenticationEntryPoint"
|
|
class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
|
|
<property name="realmName"><value>Name Of Your Realm</value></property>
|
|
</bean>
|
|
|
|
</programlisting></para>
|
|
|
|
<para>The configured <literal>AuthenticationManager</literal>
|
|
processes each authentication request. If authentication fails, the
|
|
configured <literal>AuthenticationEntryPoint</literal> will be used to
|
|
retry the authentication process. Usually you will use the
|
|
<literal>BasicProcessingFilterEntryPoint</literal>, which returns a
|
|
401 response with a suitable header to retry HTTP Basic
|
|
authentication. If authentication is successful, the resulting
|
|
<literal>Authentication</literal> object will be placed into the
|
|
<literal>SecurityContextHolder</literal>.</para>
|
|
|
|
<para>If the authentication event was successful, or authentication
|
|
was not attempted because the HTTP header did not contain a supported
|
|
authentication request, the filter chain will continue as normal. The
|
|
only time the filter chain will be interrupted is if authentication
|
|
fails and the <literal>AuthenticationEntryPoint</literal> is called,
|
|
as discussed in the previous paragraph</para>
|
|
</sect1>
|
|
</chapter> |