Spring Security configuration supporting multiple subsites based on Hippo CMS

https://stackoverflow.com/questions/19736962

03-07-2022
|

Question

I am trying to use spring security based on hippo cms plugin. I have created inside hippo 3 subsites which are having each login. How should I config the spring-security-context.xml in order to support multiple subsites? All subsites will use the same authenticationprovider. Till now I have configured one of the subsites.

<beans:beans xmlns="http://www.springframework.org/schema/security"
                     xmlns:beans="http://www.springframework.org/schema/beans"
                     xmlns:lang="http://www.springframework.org/schema/lang"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                     xmlns:util="http://www.springframework.org/schema/util"
                     xmlns:aop="http://www.springframework.org/schema/aop"
                     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                       http://www.springframework.org/schema/lang http://www.springframework.org/schema/beans/spring-lang-3.1.xsd
                       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
                       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
                       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<!-- HTTP Security Configuration -->

<!-- HTTP Security Configuration -->
<http auto-config="true">
    <intercept-url pattern="/css/**" />
    <intercept-url pattern="/images/**" />
    <intercept-url pattern="/binaries/**" />
    <intercept-url pattern="/vop/**" access="IS_AUTHENTICATED_ANONYMOUSLY, ROLE_everybody" />
    <form-login login-page="/vop"
                            default-target-url="/vop/vop-mysurvey-page"
                            always-use-default-target="true" />
    <logout logout-url="/logout.jsp" logout-success-url="/vop"/>
</http>
<!--
    Authentication Manager configuration with Hippo Repository based Authentication Provider configuration ('hippoAuthenticationProvider').
    However, you can use any other authentication provider(s) if you don't need to authenticate users against Hippo Repository.
-->
<authentication-manager>
    <authentication-provider ref="hippoAuthenticationProvider"/>
</authentication-manager>

<!--
    Hippo Repository based Authentication Provider. This Authentication Provider provide authentication against Hippo Repository Security Store.
    If you don't need to authenticate users against Hippo Repository, you don't have to include the following bean.
-->
<beans:bean id="hippoAuthenticationProvider"
                        class="org.onehippo.forge.security.support.springsecurity.authentication.HippoAuthenticationProvider">
</beans:bean>

For example I want to have also <http auto-config="true"> <intercept-url pattern="/css/**" /> <intercept-url pattern="/images/**" /> <intercept-url pattern="/binaries/**" /> <intercept-url pattern="/erop/**" access="IS_AUTHENTICATED_ANONYMOUSLY, ROLE_everybody" /> <form-login login-page="/erop" default-target-url="/erop/mypage" always-use-default-target="true" /> <logout logout-url="/logout.jsp" logout-success-url="/erop"/> </http>

Any Ideas?

Solution 2

Spring security supports securing multiple subsites. The configuration depends a bit on your subsites, whether they use separate host names or not.

When your subsites run under the same host name, you can configure it like this:

<http pattern="/vop/**" ... >
  ...
</http>

<http pattern="/erop/**" ... >
  ...
</http>

However, if your subsites run on different host names, it could be that the url patterns overlap. In this case you need to filter by host name, something like:

<bean id="vopMatcher" class="org.springframework.security.web.util.ELRequestMatcher">
  <constructor-arg value="hasHeader('host','vop.com')"/>
</bean>

<bean id="eropMatcher" class="org.springframework.security.web.util.ELRequestMatcher">
  <constructor-arg value="hasHeader('host','erop.com')"/>
</bean>

<http request-matcher-ref ="vopMatcher" ... >
  ...
</http>

<http request-matcher-ref ="eropMatcher" ... >
  ...
</http>

OTHER TIPS

As far as I know, spring security framework is based on servlet filter and its configuration seems to be tied to a web application context. Because of that, I don't think you can host multiple spring security contexts in single web application context currently.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow