Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security 3.2 Multiple http tag with different Authentication Manager

I am stuck trying to create a web app using spring security 3.2.

I am trying to implement two login pages with a different authentication manager. This configuration works fine if I use a http-basic form but when using a form-login, I receive a 404 on j_spring_security_check. Any Idea ? Why the j_spring_security_check is not generated by spring on this situation ?

Thanks in advance

<http pattern="/admin/login.html" security="none" />
<http pattern="/user/login.html" security="none" />

<http use-expressions="true" pattern="/user/**" authentication-manager-ref="userAuthMgr">
    <intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
    <form-login login-page="/user/login.html" always-use-default-target="true" default-target-url="/user/index.html" />
</http>

<http use-expressions="true" pattern="/admin/**" authentication-manager-ref="adminAuthMgr">
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
    <form-login login-page="/admin/login.html" always-use-default-target="true" default-target-url="/admin/index.html" />
</http>

<debug/>

<authentication-manager id="adminAuthMgr">
    <authentication-provider>
        <user-service>
            <user name="admin" password="admin" authorities="ROLE_ADMIN" />
        </user-service>
    </authentication-provider>
</authentication-manager>

<authentication-manager id="userAuthMgr">
    <authentication-provider>
        <user-service>
            <user name="user" password="user" authorities="ROLE_USER" />
            <user name="vip" password="vip" authorities="ROLE_USER, ROLE_VIP" />
        </user-service>
    </authentication-provider>
</authentication-manager>

And my login.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

<div class="container">
<form class="form-signin" role="form" action="<c:url value='/j_spring_security_check' />" method='POST'>
    <input type="text" name='j_username' class="form-control" placeholder="Username" required="" autofocus="">
    <input type="password" name='j_password' class="form-control" placeholder="Password" required="">
    <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>

<c:if test="${not empty sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}">
    <div class="alert alert-danger">
        ${sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}
    </div>
</c:if>

like image 990
user3368735 Avatar asked Mar 01 '14 18:03

user3368735


People also ask

Is WebSecurityConfigurerAdapter deprecated?

From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated.

What are the different spring authentication providers?

For a quick demonstration, we'll configure two authentication providers – a custom authentication provider and an in-memory authentication provider.

What is the default authentication manager in Spring Security?

Spring Boot provides a default global AuthenticationManager (with only one user) unless you pre-empt it by providing your own bean of type AuthenticationManager . The default is secure enough on its own for you not to have to worry about it much, unless you actively need a custom global AuthenticationManager .


1 Answers

You can use multiple authentication provider:
-One 'default' Authentication Provider: with 'alias'
-others Authenfication Provider: with 'id'

<http use-expressions="true" pattern="/user/**" authentication-manager-ref="userAuthMgr">
<intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/user/login.html" always-use-default-target="true" default-target-url="/user/index.html" />
</http>

<http use-expressions="true" pattern="/admin/**" authentication-manager-ref="adminAuthMgr">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/admin/login.html" always-use-default-target="true" default-target-url="/admin/index.html" />
</http>

<debug/>

<!--default Authentication Provider -->
<authentication-manager alias="adminAuthMgr">
  <authentication-provider>
    <user-service>
        <user name="admin" password="admin" authorities="ROLE_ADMIN" />
    </user-service>
  </authentication-provider>
</authentication-manager>

<authentication-manager id="userAuthMgr">
  <authentication-provider>
    <user-service>
        <user name="user" password="user" authorities="ROLE_USER" />
        <user name="vip" password="vip" authorities="ROLE_USER, ROLE_VIP" />
    </user-service>
  </authentication-provider>
</authentication-manager>
like image 80
user2549726 Avatar answered Oct 21 '22 17:10

user2549726