Spring Security Application Development (HTTP Basic authentication)

Spring Security defaults to using the form-login form authentication method.

<!-- By default using form authentication --

<sec:form-login/>

Spring Security also provides a way to configure HTTP basic authentication as long as the empty http-basic is used in the http tag tab to enable HTTP basic authentication.

<!--relationship of roles and URL patterns - <sec:httpAuto-config= "true"use-expressions= "true"> <Sec:intercept-urlpattern= "/admin/**"Access= "Hasrole (' role_admin ')" /> <Sec:intercept-urlpattern= "/user/**"Access= "Hasrole (' Role_user ')" /> <Sec:intercept-urlpattern= "/home/**"Access= "Hasrole (' Role_user ') or Hasrole (' role_admin ')" />  <!--using HTTP Basic authentication - <Sec:http-basic/>

when you need to log in, the browser opens HTTP Basic Authentication dialog box.

The text "Spring Security Application" , which is followed by the server prompt , is given by Spring Security by default Realm information, which can be configured in the Http-basic tab by configuring the entry-point-ref property to specify.

< Sec:http-basic     Entry-point-ref = "Basicauthenticationentrypoint" />

you need to add a bean and then specify the value of the property with the name realmname as the text you want to display.

<id= "Basicauthenticationentrypoint"   class= " Org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint ">    <name= "Realmname"  value= "HTTP Basic authentication by [ Email protected] "/></beans:bean>

to access a page that requires login /home, the browser appears with the following login screen:

after the request is initiated, you receive a Www-authenticate 's header information. The response data is as follows:

http/1.1 401

Cache-control:no-cache, No-store, max-age=0, must-revalidate

Pragma:no-cache

expires:0

X-xss-protection:1; Mode=block

X-frame-options:deny

X-content-type-options:nosniff

set-cookie:jsessionid=e7beb2393fb9910dfd5d4d82728af4eb;path=/springsecurity; HttpOnly

Www-authenticate:basic realm= "http Basic authentication by [email protected]"

Content-type:text/html;charset=utf-8

Content-language:en

content-length:1110

Date:sat, 15:46:02 GMT

After seeing the 401 status code and www-authenticate header information, the browser appears in the login screen.

If you enter the wrong username and password in the authentication screen given by the browser, will continue to require the correct user name and password to be entered.

If you cancel the login, you will be redirected to the certification failure page.

After you cancel the login, the request and response data is as follows:

Request:

get/springsecurity/home/http/1.1

host:localhost:8080

Connection:keep-alive

Pragma:no-cache

Cache-control:no-cache

Authorization:basic emhhbmdzyw46mtizna==

accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Upgrade-insecure-requests:1

user-agent:mozilla/5.0 (Windows NT 6.3) applewebkit/537.36 (khtml, like Gecko) chrome/45.0.2454.101 safari/537.36

referer:http://localhost:8080/springsecurity/

Accept-encoding:gzip, deflate, SDCH

accept-language:zh-cn,zh;q=0.8,en;q=0.6

Cookie:jsessionid=bbc492a01845324e6b28dc1cce77ccf7

Response:

http/1.1 401 OK

Cache-control:no-cache, No-store, max-age=0, must-revalidate

Pragma:no-cache

expires:0

X-xss-protection:1; Mode=block

X-frame-options:deny

X-content-type-options:nosniff

Www-authenticate:basic realm= "http Basic authentication by [email protected]"

Content-type:text/html;charset=utf-8

Content-language:en

content-length:1030

Date:sat, 14:45:12 GMT

After the login is successful, you need to close your browser to log out.

Spring Security Application Development (HTTP Basic authentication)