BasicAuthenticationFilter过滤器对应的类路径为 

org.springframework.security.web.authentication.www.BasicAuthenticationFilter 

Basic验证方式相比较而言用的不是太多。spring security也支持basic的方式，配置如下 

Xml代码  

1. <security:http auto-config=“true”>  
2.     <!– <security:form-login login-page=”/login.jsp”/>–>  
3.     <security:http-basic/>  
4.     <security:logout logout-success-url=“/login.jsp” invalidate-session=“true”/>  
5.     <security:intercept-url pattern=“/login.jsp*” filters=“none”/>  
6.     <security:intercept-url pattern=“/admin.jsp*” access=“ROLE_ADMIN”/>  
7.     <security:intercept-url pattern=“/index.jsp*” access=“ROLE_USER,ROLE_ADMIN”/>  
8.     <security:intercept-url pattern=“/**” access=“ROLE_USER,ROLE_ADMIN”/>  
9. </security:http>  

如果选择basic方式，需要把form-login标签的定义给注释掉。 

接下来看BasicAuthenticationFilter的执行过程 

Java代码  

1. public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)  
2.         throws IOException, ServletException {  
3.     final boolean debug = logger.isDebugEnabled();  
4.     final HttpServletRequest request = (HttpServletRequest) req;  
5.     final HttpServletResponse response = (HttpServletResponse) res;  
6.     //basic登录时，会产生Authorization的header信息  
7.      //Authorization的值是Basic eXVxaW5nc29uZzox  
8.     //eXVxaW5nc29uZzox是经过base编码的一串字符  
9.     String header = request.getHeader(“Authorization”);  
10.     if ((header != null) && header.startsWith(“Basic “)) {  
11.         byte[] base64Token = header.substring(6).getBytes(“UTF-8”);  
12.         //经过base解码后，token值为username:password这种方式  
13.         String token = new String(Base64.decode(base64Token), getCredentialsCharset(request));  
14.         String username = “”;  
15.         String password = “”;  
16.         int delim = token.indexOf(“:”);  
17.   
18.         if (delim != –1) {  
19.             username = token.substring(0, delim);  
20.             password = token.substring(delim + 1);  
21.         }  
22.   
23.         if (debug) {  
24.             logger.debug(“Basic Authentication Authorization header found for user ‘” + username + “‘”);  
25.         }  
26.         //下面的执行过程基本和login方式一样，认证、授权等过程  
27.         if (authenticationIsRequired(username)) {  
28.             UsernamePasswordAuthenticationToken authRequest =  
29.                     new UsernamePasswordAuthenticationToken(username, password);  
30.             authRequest.setDetails(authenticationDetailsSource.buildDetails(request));  
31.   
32.             Authentication authResult;  
33.   
34.             try {  
35.                 authResult = authenticationManager.authenticate(authRequest);  
36.             } catch (AuthenticationException failed) {  
37.                 // Authentication failed  
38.                 if (debug) {  
39.                     logger.debug(“Authentication request for user: “ + username + ” failed: “ + failed.toString());  
40.                 }  
41.   
42.                 SecurityContextHolder.getContext().setAuthentication(null);  
43.   
44.                 rememberMeServices.loginFail(request, response);  
45.   
46.                 onUnsuccessfulAuthentication(request, response, failed);  
47.   
48.                 if (ignoreFailure) {  
49.                     chain.doFilter(request, response);  
50.                 } else {  
51.                     authenticationEntryPoint.commence(request, response, failed);  
52.                 }  
53.   
54.                 return;  
55.             }  
56.   
57.             // Authentication success  
58.             if (debug) {  
59.                 logger.debug(“Authentication success: “ + authResult.toString());  
60.             }  
61.   
62.             SecurityContextHolder.getContext().setAuthentication(authResult);  
63.   
64.             rememberMeServices.loginSuccess(request, response, authResult);  
65.   
66.             onSuccessfulAuthentication(request, response, authResult);  
67.         }  
68.     }  
69.   
70.     chain.doFilter(request, response);  
71. }