BASIC Authentication Mechanism

12.1. Overview

Spring Security provides a BasicProcessingFilter which is capable of processing basic authentication credentials presented in HTTP headers. This can be used for authenticating calls made by Spring remoting protocols (such as Hessian and Burlap), as well as normal user agents (such as Internet Explorer and Navigator). The standard governing HTTP Basic Authentication is defined by RFC 1945, Section 11, and the BasicProcessingFilter conforms with this RFC. Basic Authentication is an attractive approach to authentication, because it is very widely deployed in user agents and implementation is extremely simple (it's just a Base64 encoding of the username:password, specified in an HTTP header).

12.2. Configuration

To implement HTTP Basic Authentication, it is necessary to define BasicProcessingFilter in the filter chain. The application context will need to define the BasicProcessingFilter and its required collaborator:

        <bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
        <property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property>
        </bean>
        
        <bean id="authenticationEntryPoint"
        class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
        <property name="realmName"><value>Name Of Your Realm</value></property>
        </bean>

The configured AuthenticationManager processes each authentication request. If authentication fails, the configured AuthenticationEntryPoint will be used to retry the authentication process. Usually you will use the BasicProcessingFilterEntryPoint, which returns a 401 response with a suitable header to retry HTTP Basic authentication. If authentication is successful, the resulting Authentication object will be placed into the SecurityContextHolder.

If the authentication event was successful, or authentication was not attempted because the HTTP header did not contain a supported authentication request, the filter chain will continue as normal. The only time the filter chain will be interrupted is if authentication fails and the AuthenticationEntryPoint is called, as discussed in the previous paragraph

Prev Home Next
Chapter 11. Form Authentication Mechanism Sponsored by SpringSource  Chapter 13. Digest Authentication