使用Spring Security 3.1通过表单登录和HTTP基本安全性来保护相同的RESTful资源

Question

I have a java web application running on Tomcat 7. I am using Spring 3.2 with Spring Security 3.1 on the backend, and am exposing an API via RESTful URLs following the /api/** pattern.

The UI for the web application is built using BackboneJS. I am using Backbone models mapped directly to the RESTful URLS.

The UI is locked down using form-login authentication, so the user is always redirected to the login screen if they have are not currently authenticated.

I am now attempting to expose the same RESTful URLs to another external service using http-basic authentication. Unfortunately, when securing the same URL pattern, it seems Spring will not allow me to use more than one filter chain. Whichever is defined first in the configuration file seems to take precedence.

I would hate to have to map to separate URL patterns for the same RESTful resources, but it seems like I may not have a choice.

Here is the important sample of my (currently broken) spring security configuration:

<!--  configure basic http authentication -->
<http pattern="/api/**" create-session="stateless">
    <intercept-url pattern="/**" access="ROLE_USER"/>
    <http-basic/>
</http>

<!--  configure form-login authentication -->
<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/ui/login" access="permitAll" />
    <intercept-url pattern="/ui/logout" access="permitAll" />
    <intercept-url pattern="/ui/loginfailed" access="permitAll" />
    <intercept-url pattern="/**" access="ROLE_USER" />
    <custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
    <form-login login-page="/ui/login" default-target-url="/" authentication-failure-url="/ui/loginfailed" />
    <logout logout-success-url="/ui/logout" />
    <session-management invalid-session-url="/ui/login"/>
</http>

My question is: Is it possible to configure two different types of security (http-basic and form-login) for the same URL patterns using Spring Security? Is there a best practice for this type of scenario?

Thank you.

Answer 1

Why don't you just merge the two <http> elements like this:

<http pattern="/api/**" use-expressions="true">
    <intercept-url pattern="/ui/login" access="permitAll" />
    <intercept-url pattern="/ui/logout" access="permitAll" />
    <intercept-url pattern="/ui/loginfailed" access="permitAll" />
    <intercept-url pattern="/**" access="ROLE_USER" />
    <http-basic/>
    <custom-filter ref="ajaxTimeoutRedirectFilter" after="EXCEPTION_TRANSLATION_FILTER" />
    <form-login login-page="/ui/login" default-target-url="/" authentication-failure-url="/ui/loginfailed" />
    <logout logout-success-url="/ui/logout" />
    <session-management invalid-session-url="/ui/login"/>
</http>

This would set up both a UsernamePasswordAuthenticationFilter and a BasicAuthenticationFilter in the same filter chain which could serve the ui client, and the external service as well.

Answer 2

Not possible out of the box to apply 2 different filter chain for a single URL pattern.

But it is a advisable to have unique URL patterns as UI and API, as you would have to apply a completely different filter chain in future.

For example the SecurityContextRepository hold the session information and is retrieved for each request. You don't want to apply the same for UI and API access through basic auth

Answer 3

Try to replace pattern="/ " by pattern="/api/ " in API config:

<http pattern="/api/**" create-session="stateless">
    <intercept-url pattern="/api/**" access="ROLE_USER"/>
    <http-basic/>
</http>