1. Obtain a session and write it to the file. Note that the spring security path j_spring_security_check is used for this step
$ curl --data "j_username=myname&j_password=mypswd" http://localhost:8080/SpringSecurityAuth/j_spring_security_check --cookie-jar cookies.txt
2. Access the protected URL with the session
$ curl http://localhost:8080/SpringSecurityAuth/api/helloworld --cookie cookies.txt
HTTP basic authentication
Option 1
Send username and password for each request$ curl --user myname:mypwsd http://localhost:8080/SpringSecurityAuth/api/helloworld
Option 2
1. Obrain a session similar to the way in form-based authentication, but using spring security path j_spring_security_check is not needed$ curl --user byname:mypwsd http://localhost:8080/SpringSecurityAuth/api/helloworld --cookie-jar cookies.txt
2. Access the protected URL with the session
$ curl http://localhost:8080/SpringSecurityAuth/api/helloworld --cookie cookies.txt
Simple REST Stateless configuration
To achieve REST stateless feature, the
<!-- Stateless RESTful service using Basic authentication -->
<http pattern="/restful/**" create-session="stateless">
<intercept-url pattern='/**' access='ROLE_REMOTE' />
<http-basic />
</http>
Then the saved session will not work and providing username and password is required for each request.This feature can be achieved only with HTTP basic authentication because the form-based authentication needs to have a session to access the protected resource, but the session is not valid here.
This approach may not be secure enough because the username and password are transmitted in each request. To have a more secure implementation, using
Reference
Interact with a spring-security protected application
https://bowerstudios.com/node/913
Spring Security Basic Authentication
http://www.baeldung.com/spring-security-basic-authentication
Advanced Namespace Configuration
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/security-filter-chain.html#filter-chains-with-ns
No comments:
Post a Comment