问题
I want to configure Spring Security to enable both BASIC and DIGEST authentication for the same set of URL's, but it's unclear whether or not this is possible. I see that I need to enable multiple AuthenticationEntryPoint instances to set the appropriate HTTP headers, but I don't see any built in classes to accomodate this. DelegatingAuthenticationEntryPoint comes close, but ultimately it only selects one entry point.
I implemented a custom AuthenticationEntryPoint that calls the commence method on a supplied list of AuthenticationEntryPoint instances, but it eventually throws an IllegalStateException because each AuthenticationEntryPoint calls sendError (which I gather is not allowed).
Is there any way to do this without implementing a completely custom entry point?
回答1:
Id did it by configuring Spring security for Digest authentication only, and then adding a BasicProcessingFilter manually at the beginning of the filter chain, as explained There
<bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<security:custom-filter before="AUTHENTICATION_PROCESSING_FILTER"/>
<property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property>
来源:https://stackoverflow.com/questions/4492288/spring-security-3-x-how-can-i-enable-both-basic-and-digest-authentication