Basic authentication is often used with stateless clients which pass their credentials on each request. It’s quite common to use it in combination with form-based authentication where an application is used through both a browser-based user interface and as a web-service. However, basic authentication transmits the password as plain text so it should only really be used over an encrypted transport layer such as HTTPS.
Because basic authentication header has to be sent with each HTTP request, the web browser needs to cache the credentials for a reasonable period to avoid constant prompting user for the username and password. Caching policy differs between browsers.
Simplest possible solution to implement basic http authentication is to use “http-basic” tag in spring security configuration file like this:
<http> <intercept-url pattern="/**" access="ROLE_USER" /> <http-basic /> </http>
Above setting in your application will enforce the user to authenticate any of webpage or any other resource in your application. Interesting thing is that you do not need to create any login page or session management mechanism. Browser will present a login box before user on your behalf. And because each request contains authentication information just like in http stateless mechanism, you do not need to maintain session also.
In our employee management application built-in previous tutorial related to spring 3 security demo, we built login form manually and configured them for various URL patterns. Lets modify it to use http basic authentication. Our modified application-security.xml will look like this now.
< ?xml version="1.0" encoding="UTF-8"?> xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd"> <http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/logout" access="permitAll" /> <intercept-url pattern="/accessdenied" access="permitAll" /> <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> <<logout logout-success-url="/logout" /> <http-basic /> </http> <authentication-manager alias="authenticationManager"> <authentication-provider> <user-service> <user lokesh" password="password" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>
Now lets build the application again and run it in application server. In my case, I ma using tomcat 7.
1) Hit the URL “http://localhost:8080/Spring3HibernateIntegration” in browser
A login window appear. Please note that it is browser generated login box and application has only provided relevant headers to browser.
2) Enter incorrect username and password
This will make browser to again present the cleared login box or it will show the error page in some cases like this.
3) Enter correct username and password
The correct username and password :: “lokesh” and “password”. When you enter above credentials, employee management screen will appear in browser screen.
Please let me know if you found any problem in running above configuration.
Happy Learning !!