How to set up basic auth in spring security without the HTTP tag?_问答_开发者

I'm setting up REST services that requires simple Basic Auth on top of an existing application. The thing is that the security context already has a http tag from the actual application so as simple as it is to set up Basic Auth using the tag, I can't use it because there is already one there with totally different config (see why: https://jira.springsource.org/browse/SEC-1171 I'm using 3.0.4, waiting until 3.1 is released is a possibility but undesired).

How could I exclude my REST services from the pre-existing config and give them Basic Auth?

This is the aplicationContext-security.xml I've been playing around on top of the tutorial sample application. As it is, it has never prompted me to enter my credentials and I don't know what to add.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<global-method-security pre-post-annotations="enabled">
</global-method-security>



<beans:bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <filter-chain-map path-type="ant">
        <filter-chain pattern="/**" filters="basicAuthenticationFilter" />
    </filter-chain-map>
</beans:bean>

<beans:bean id="basicAuthenticationFilter"
    class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authManager" />
    <beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</beans:bean>
<beans:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
    <beans:property name="realmName" value="ems" />
</beans:bean>
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
  <beans:property name="authenticationManager" ref="authManager"/>
  <beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
  <beans:property name="securityMetadataSource">
    <filter-security-metadata-source>
      <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
      <intercept-url pattern="/secure/**" access="ROLE_USER" />
      <intercept-url pattern="/**" access="" />
    </filter-security-metadata-source>
  </beans:property>
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
        <beans:list>
            <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
        </beans:list>
    </beans:property>
</beans:bean>
<beans:bean id="exceptionTranslationFilter"
 class="org.springframework.security.web.access.ExceptionTranslationFilter">
  <beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
  <beans:property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</beans:bean>
<beans:bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
</beans:bean>
<beans:bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
<!--
Usernames/Passwords are
    rod/koala
    dianne/emu
    scott/wombat
    peter/opal
-->
<authentication-manager alias="authManager">
    <authentication-provider>
        <password-encoder hash="md5"/>
        <user-service>
            <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, R开发者_如何学JAVAOLE_USER, ROLE_TELLER" />
            <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
            <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
            <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

I managed to do it by creating a second dispatcherServlet and filterChainProxy on the web.xml, and then creating a second security-context.xml specified on the of the servlets, where I could use the tag again as it was a new context. The gotcha was to set the servletContext attribute of the filters on the web.xml so that they belonged to the appropriate spring context. This is an example of one of the filters and it corresponding servlet.

<filter>
    <filter-name>filterChainProxy</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>contextAttribute</param-name>
        <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.servletName</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>filterChainProxy</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<servlet>
    <servlet-name>servletName</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            pathTo/servletName-servlet.xml,
            pathTo/spring-security.xml
        </param-value>
    </init-param>
</servlet>