Make SecurityEnforcementFilter support pluggable authentication entry points. Enhance BASIC authentication so it's a viable alternative to form-based authentication for user agents like IE and Netscape.

docs/reference/src/index.xml

@@ -538,11 +538,15 @@
         so you should configure a <literal>ContextLoaderListener</literal> in
         <literal>web.xml</literal>.</para>
 
-        <para>In the application context you will need to configure two
+        <para>In the application context you will need to configure three
         beans:</para>
 
         <programlisting>&lt;bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter"&gt;
   &lt;property name="filterSecurityInterceptor"&gt;&lt;ref bean="filterInvocationInterceptor"/&gt;&lt;/property&gt;
+  &lt;property name="authenticationEntryPoint"&gt;&lt;ref bean="authenticationEntryPoint"/&gt;&lt;/property&gt;
+&lt;/bean&gt;
+
+&lt;bean id="authenticationEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"&gt;
   &lt;property name="loginFormUrl"&gt;&lt;value&gt;/acegilogin.jsp&lt;/value&gt;&lt;/property&gt;
 &lt;/bean&gt;
 
@@ -559,16 +563,21 @@
   &lt;/property&gt;
 &lt;/bean&gt;</programlisting>
 
-        <para>The <literal>loginFormUrl</literal> is where the filter will
-        redirect the user's browser if they request a secure HTTP resource but
-        they are not authenticated. If the user is authenticated, a "403
-        Forbidden" response will be returned to the browser. All paths are
-        relative to the web application root.</para>
+        <para>The <literal>AuthenticationEntryPoint</literal> will be called
+        if the user requests a secure HTTP resource but they are not
+        authenticated. The class handles presenting the appropriate response
+        to the user so that authentication can begin. Two concrete
+        implementations are provided with the Acegi Security System for
+        Spring: <literal>AuthenticationProcessingFilterEntryPoint</literal>
+        for commencing a form-based authentication, and
+        <literal>BasicProcessingFilterEntryPoint</literal> for commencing a
+        Http Basic authentication process.</para>
 
         <para>The <literal>SecurityEnforcementFilter</literal> primarily
-        provides redirection and session management support. It delegates
-        actual <literal>FilterInvocation</literal> security decisions to the
-        configured <literal>FilterSecurityInterceptor</literal>.</para>
+        provides session management support and initiates authentication when
+        required. It delegates actual <literal>FilterInvocation</literal>
+        security decisions to the configured
+        <literal>FilterSecurityInterceptor</literal>.</para>
 
         <para>Like any other security interceptor, the
         <literal>FilterSecurityInterceptor</literal> requires a reference to
@@ -1560,19 +1569,18 @@ public boolean supports(Class clazz);</programlisting></para>
       <sect2 id="security-ui-http-basic">
         <title>HTTP Basic Authentication</title>
 
-        <para>Primarily to cater for the needs of remoting protocols such as
-        Hessian and Burlap, the Acegi Security System for Spring provides a
+        <para>The Acegi Security System for Spring provides a
         <literal>BasicProcessingFilter</literal> which is capable of
-        processing authentication credentials presented in HTTP headers (for
-        standard authentication of web browser users, we recommend HTTP
-        Session Authentication). The standard governing HTTP Basic
+        processing authentication credentials presented in HTTP headers. This
+        can be used for authenticating calls made by Spring remoting protocols
+        (such as Hessian and Burlap), as well as normal user agents (such as
+        Internet Explorer and Navigator). The standard governing HTTP Basic
         Authentication is defined by RFC 1945, Section 11, and the
         <literal>BasicProcessingFilter</literal> conforms with this
         RFC.</para>
 
         <para>To implement HTTP Basic Authentication, it is necessary to add
-        the following filter to <literal>web.xml</literal>, behind a
-        <literal>FilterToBeanProxy</literal>:</para>
+        the following filter to <literal>web.xml</literal>:</para>
 
         <para><programlisting>&lt;filter&gt;
   &lt;filter-name&gt;Acegi HTTP BASIC Authorization Filter&lt;/filter-name&gt;
@@ -1591,16 +1599,25 @@ public boolean supports(Class clazz);</programlisting></para>
         <para>For a discussion of <literal>FilterToBeanProxy</literal>, please
         refer to the FilterInvocation Security Interceptor section. The
         application context will need to define the
-        <literal>BasicProcessingFilter</literal>:</para>
+        <literal>BasicProcessingFilter</literal> and its required
+        collaborator:</para>
 
         <para><programlisting>&lt;bean id="basicProcessingFilter" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter"&gt;
   &lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
+  &lt;property name="authenticationEntryPoint"&gt;&lt;ref bean="authenticationEntryPoint"/&gt;&lt;/property&gt;
+&lt;/bean&gt;
+
+&lt;bean id="authenticationEntryPoint" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint"&gt;
+  &lt;property name="realmName"&gt;&lt;value&gt;Name Of Your Realm&lt;/value&gt;&lt;/property&gt;
 &lt;/bean&gt;</programlisting></para>
 
         <para>The configured <literal>AuthenticationManager</literal>
-        processes each authentication request. If authentication fails, a 403
-        (forbidden) response will be returned in response to the HTTP request.
-        If authentication is successful, the resulting
+        processes each authentication request. If authentication fails, the
+        configured <literal>AuthenticationEntryPoint</literal> will be used to
+        retry the authentication process. Usually you will use the
+        <literal>BasicProcessingFilterEntryPoint</literal>, which returns a
+        401 response with a suitable header to retry HTTP Basic
+        authentication. If authentication is successful, the resulting
         <literal>Authentication</literal> object will be placed into the
         <literal>HttpSession</literal> attribute indicated by
         <literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>.
@@ -1611,13 +1628,14 @@ public boolean supports(Class clazz);</programlisting></para>
         was not attempted because the HTTP header did not contain a supported
         authentication request, the filter chain will continue as normal. The
         only time the filter chain will be interrupted is if authentication
-        fails and a 403 response is returned, as discussed in the previous
-        paragraph.</para>
+        fails and the <literal>AuthenticationEntryPoint</literal> is called,
+        as discussed in the previous paragraph.</para>
 
         <para>HTTP Basic Authentication is recommended to be used instead of
         Container Adapters. It can be used in conjunction with HTTP Session
-        Authentication, as demonstrated in the Contacts sample
-        application.</para>
+        Authentication, as demonstrated in the Contacts sample application.
+        You can also use it instead of HTTP Session Authentication if you
+        wish.</para>
       </sect2>
 
       <sect2 id="security-ui-well-known">