Spring Security 3.2 Multiple http tag with different Authentication Manager

StackOverflow https://stackoverflow.com/questions/22118243

  •  18-10-2022
  •  | 
  •  

Question

I am stuck trying to create a web app using spring security 3.2.

I am trying to implement two login pages with a different authentication manager. This configuration works fine if I use a http-basic form but when using a form-login, I receive a 404 on j_spring_security_check. Any Idea ? Why the j_spring_security_check is not generated by spring on this situation ?

Thanks in advance

<http pattern="/admin/login.html" security="none" />
<http pattern="/user/login.html" security="none" />

<http use-expressions="true" pattern="/user/**" authentication-manager-ref="userAuthMgr">
    <intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
    <form-login login-page="/user/login.html" always-use-default-target="true" default-target-url="/user/index.html" />
</http>

<http use-expressions="true" pattern="/admin/**" authentication-manager-ref="adminAuthMgr">
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
    <form-login login-page="/admin/login.html" always-use-default-target="true" default-target-url="/admin/index.html" />
</http>

<debug/>

<authentication-manager id="adminAuthMgr">
    <authentication-provider>
        <user-service>
            <user name="admin" password="admin" authorities="ROLE_ADMIN" />
        </user-service>
    </authentication-provider>
</authentication-manager>

<authentication-manager id="userAuthMgr">
    <authentication-provider>
        <user-service>
            <user name="user" password="user" authorities="ROLE_USER" />
            <user name="vip" password="vip" authorities="ROLE_USER, ROLE_VIP" />
        </user-service>
    </authentication-provider>
</authentication-manager>

And my login.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

<div class="container">
<form class="form-signin" role="form" action="<c:url value='/j_spring_security_check' />" method='POST'>
    <input type="text" name='j_username' class="form-control" placeholder="Username" required="" autofocus="">
    <input type="password" name='j_password' class="form-control" placeholder="Password" required="">
    <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>

<c:if test="${not empty sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}">
    <div class="alert alert-danger">
        ${sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}
    </div>
</c:if>

No correct solution

OTHER TIPS

You can use multiple authentication provider:
-One 'default' Authentication Provider: with 'alias'
-others Authenfication Provider: with 'id' 

<http use-expressions="true" pattern="/user/**" authentication-manager-ref="userAuthMgr">
<intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/user/login.html" always-use-default-target="true" default-target-url="/user/index.html" />
</http>

<http use-expressions="true" pattern="/admin/**" authentication-manager-ref="adminAuthMgr">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/admin/login.html" always-use-default-target="true" default-target-url="/admin/index.html" />
</http>

<debug/>

<!--default Authentication Provider -->
<authentication-manager alias="adminAuthMgr">
  <authentication-provider>
    <user-service>
        <user name="admin" password="admin" authorities="ROLE_ADMIN" />
    </user-service>
  </authentication-provider>
</authentication-manager>

<authentication-manager id="userAuthMgr">
  <authentication-provider>
    <user-service>
        <user name="user" password="user" authorities="ROLE_USER" />
        <user name="vip" password="vip" authorities="ROLE_USER, ROLE_VIP" />
    </user-service>
  </authentication-provider>
</authentication-manager>

The way spring works is designed is to use one authentication manager with one or more kinds of authentication providers.

As for your example, why not use one authenticationmanager and authentication provider and reference them in both the http tags. From a security point of view, it should should not compromise anything. If it was, then nobody would be using spring security.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top