I have a pretty standard existing webapp using spring security that requires a database-backed form login for user-specific paths (such as /user/**), and some completely open and public paths (such as /index.html).
However, as this webapp is still under development, I'd like to add a http-basic popup across all paths (/**) to add some privacy. Therefore, I'm trying to add a http-basic popup that asks for a universal user/pass combo (ex admin/foo) that would be required to view any path, but then still keep intact all of the other underlying authentication mechanisms.
I can't really do anything with the <http> tag, since that will confuse the "keep out the nosy crawlers" authentication with the "user login" authentication, and I'm not seeing any way to associate different paths with different authentication mechanisms.
Is there some way to do this with spring security? Alternatively, is there some kind of a dead simple filter that I can apply independently of spring-security's authentication mechanisms?
Yes, you can use multiple authentication filters in Spring Security. However, the best way I have found is to omit the <http> element of the Spring Security namespace and instead use the normal Spring Bean notation.
Specifying all the Spring Security beans 'by hand' brings you the needed flexibility to control the intercepted URLs and which filters will fire for which URL patterns.
The downside is that it requires specifying a lot of extra bean definitions, many of them are not as readable as the namespace-variant of course.