If you want to only use the EmployeeUserDetailsService for Header_A and the CustomerUserDetailsService for Header_B, then you can create multiple AuthenticationManager instances and wire them in the corresponding filters. For example:
<sec:http use-expressions="true" access-denied-page="/denied.jsp" entry-point-ref="http403EntryPoint" authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<sec:custom-filter after="PRE_AUTH_FILTER" ref="customerFilter" />
<sec:custom-filter position="PRE_AUTH_FILTER" ref="employeeFilter" />
<sec:logout delete-cookies="true" invalidate-session="true" logout-success-url="/" />
</sec:http>
<bean id="employeeFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="Header_A"/>
<property name="authenticationManager" ref="employeeAuthenticationManager" />
<property name="exceptionIfHeaderMissing" value="false"/>
</bean>
<bean id="customerFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="Header_B"/>
<property name="authenticationManager" ref="customerAuthenticationManager" />
<property name="exceptionIfHeaderMissing" value="false"/>
</bean>
<bean id="employeePreAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="throwExceptionWhenTokenRejected" value="false" />
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="employeeUserDetailsService"/>
</bean>
</property>
</bean>
<bean id="customerPreAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="throwExceptionWhenTokenRejected" value="false" />
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="customerUserDetailsService"/>
</bean>
</property>
</bean>
<sec:authentication-manager id="authenticationManager">
<sec:authentication-provider ref="customerPreAuthProvider" />
<sec:authentication-provider ref="employeePreAuthProvider" />
</sec:authentication-manager>
<sec:authentication-manager id="customerAuthenticationManager">
<sec:authentication-provider ref="customerPreAuthProvider" />
</sec:authentication-manager>
<sec:authentication-manager id="employeeAuthenticationManager">
<sec:authentication-provider ref="employeePreAuthProvider" />
</sec:authentication-manager>
<bean id="customerUserDetailsService" class="xxx.CustomerUserDetailsService"/>
<bean id="employeeUserDetailsService" class="xxx.EmployeeUserDetailsService"/>
A few notes:
- As shown in the example, use the id property on sec:authentication-manager because using alias will override the previous bean definition and assign another pointer to it
- As shown in the example, ensure to update the authenticationManager reference in employeeFilter and customerFilter
- As shown in the example, ensure to specify the http@authentication-manager-ref attribute pointing to an AuthenticationManager that can authenticate both users. This is necessary for things like the FilterSecurityInterceptor.