How does Spring security handle http basic authentication?

Question

I have exposed some webservices in a RESTful manner. In my first form user needs to login and login credentials is sent in Authorization header in the following manner:

Authorization :Basic adajajffjfksal

Now in my security-context.xml I have secured the URL in the following way:

<http pattern="/login" create-session="stateless">
        <intercept-url pattern="/**" access="ROLE_AUTHENTICATED" />
        <http-basic />
</http>

After successful login I have another form from which some paramaters will be passed to the server on behalf of the User. Will session be created? Do I have to pass user credentials in Authorization header again? Will this login request be sessionless due to 'create-session="stateless"'?

Answer 1

This piece of security-context.xml has little sense if any

<http pattern="/login" create-session="stateless">
        <intercept-url pattern="/**" access="ROLE_AUTHENTICATED" />
        <http-basic />
</http>

It contains pattern="/login", so the whole block is only considered by spring security for the sole url /login. In other words it is ignored for any other urls.

It contains create-session="stateless", so it will not create any session.

The result is that if you explicitely call /login URL with proper basic authentication headers, you will be successfully authenticated and the session will immediately be closed. So you will not be authenticated for following requests.