10

I have setup FORM-authentication within web.xml (java-webcontainer) successfully.

I did not find a way to sent the username/password within the get-request of the restful-uri from my client when using FORM-Authentication. So I have to use BASIC-Authentication only for the restful-uri.

So I have this question:

How can I set up both form-based authentication and basic authentication? Basic authentication should only be enabled for the restful-uri.

Guerric P
  • 30,447
  • 6
  • 48
  • 86
nimo23
  • 5,170
  • 10
  • 46
  • 75

2 Answers2

12

I was also facing a similar problem and I realized that if you are using Wildfly then its possible to configure multiple mechanism using web.xml:-

    <auth-method>BASIC?silent=true,FORM</auth-method>

Using this silent basic authentication will be tried first, which is basic authentication that only takes effect if an Authorization header is present. If no such header is present then form authentication will be used instead.

Maybe its too late for a reply but I just updated this in case someone finds this useful :P

nothingInTheName
  • 313
  • 4
  • 11
7

There were no responses here for a while, so I did a quick servlet refresher myself. Servlet specs indeed allow only one <login-config> element per web application, so there is no way to have an entry point with BASIC authetication for the REST API and another with FORM-based authentication for the UI. The only option is to build them as two independently deployable applications. To avoid code duplication, it might be a good idea just to let the UI application talk to the REST API the same way the third-party clients are supposed to.

Olaf
  • 6,249
  • 1
  • 19
  • 37
  • I hope, it will be possible in future servlet specs. Maybe we should make a feature request? – nimo23 Aug 27 '12 at 08:52
  • For WILDFLY solution take a look at [nothingInTheName answer](https://stackoverflow.com/a/31949879/3870761) – sergioFC Jul 25 '19 at 10:23