I'm trying to get spring-security to work with a project where there is both a form login component needed (for website access) and a http-basic or http-digest component for web services. Now we started out with the namespace based configuration, e.g. a spring-security.xml file with stuff like:
<http auto-config="true"> <intercept-url...> ... </http>
But you have to go with form-based as default or http-basic as default (i.e. this only configures one filter chain). What I want is for some stuff to never redirect to a form and just use http-basic or equivalent. The manual does seem to cover this, only if you follow their advice, you'll end up having to define own filter chains for everything.
So I was wondering, is there really no other way? Is there perhaps a way I can reuse the filter chain introduced by the http element for those elements that can still use the old scheme? The namespace based config is really handy for us since it's easy to read and understandable, whereas a list of bean definitions is less so...
“NoClassDefFoundError: Could not initialize class” error
How to unit test a Spring MVC controller using @PathVariable?
In what case would a programmer get the webApplicationContext out of DispatchServlet?
See issue SEC-1171..
Flex + Spring + BlazeDS + Glassfish + OpenMQ - How do you configure the web-application-config for OpenMQ?
retrieve proxied instance from spring
Junit4 : expected=Exception not working with SPRING
Hidden features of Spring framework? [closed]
Why doesn't AspectJ compile-time weaving of Spring's @Configurable work?
It seems the answer to this one is "no", I'm now using an almost entirely beans based config.
Answers that contradict me are always welcome of course.