Spring Security 3.2 Multiple http tag with different Authentication Manager

Question

I am stuck trying to create a web app using spring security 3.2.

I am trying to implement two login pages with a different authentication manager. This configuration works fine if I use a http-basic form but when using a form-login, I receive a 404 on j_spring_security_check. Any Idea ? Why the j_spring_security_check is not generated by spring on this situation ?

Thanks in advance

<http pattern="/admin/login.html" security="none" />
<http pattern="/user/login.html" security="none" />

<http use-expressions="true" pattern="/user/**" authentication-manager-ref="userAuthMgr">
    <intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
    <form-login login-page="/user/login.html" always-use-default-target="true" default-target-url="/user/index.html" />
</http>

<http use-expressions="true" pattern="/admin/**" authentication-manager-ref="adminAuthMgr">
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
    <form-login login-page="/admin/login.html" always-use-default-target="true" default-target-url="/admin/index.html" />
</http>

<debug/>

<authentication-manager id="adminAuthMgr">
    <authentication-provider>
        <user-service>
            <user name="admin" password="admin" authorities="ROLE_ADMIN" />
        </user-service>
    </authentication-provider>
</authentication-manager>

<authentication-manager id="userAuthMgr">
    <authentication-provider>
        <user-service>
            <user name="user" password="user" authorities="ROLE_USER" />
            <user name="vip" password="vip" authorities="ROLE_USER, ROLE_VIP" />
        </user-service>
    </authentication-provider>
</authentication-manager>

And my login.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

<div class="container">
<form class="form-signin" role="form" action="<c:url value='/j_spring_security_check' />" method='POST'>
    <input type="text" name='j_username' class="form-control" placeholder="Username" required="" autofocus="">
    <input type="password" name='j_password' class="form-control" placeholder="Password" required="">
    <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>

<c:if test="${not empty sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}">
    <div class="alert alert-danger">
        ${sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}
    </div>
</c:if>

Answer 1

You can use multiple authentication provider:
-One 'default' Authentication Provider: with 'alias'
-others Authenfication Provider: with 'id'

<http use-expressions="true" pattern="/user/**" authentication-manager-ref="userAuthMgr">
<intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/user/login.html" always-use-default-target="true" default-target-url="/user/index.html" />
</http>

<http use-expressions="true" pattern="/admin/**" authentication-manager-ref="adminAuthMgr">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/admin/login.html" always-use-default-target="true" default-target-url="/admin/index.html" />
</http>

<debug/>

<!--default Authentication Provider -->
<authentication-manager alias="adminAuthMgr">
  <authentication-provider>
    <user-service>
        <user name="admin" password="admin" authorities="ROLE_ADMIN" />
    </user-service>
  </authentication-provider>
</authentication-manager>

<authentication-manager id="userAuthMgr">
  <authentication-provider>
    <user-service>
        <user name="user" password="user" authorities="ROLE_USER" />
        <user name="vip" password="vip" authorities="ROLE_USER, ROLE_VIP" />
    </user-service>
  </authentication-provider>
</authentication-manager>