1

I'm trying to implement two security realms using spring security. I am using Spring security 3.1.4 RELEASE and Spring 3.2.0 RELEASE. In my web application there are two users and they should be authenticate separately. Therefore I tried to use multiple http elements to filter url pattern and redirect to corresponding login page.

Here is my Spring-security.xml.

<beans:beans xmlns="http://www.springframework.org/schema/beans"
         xmlns:security="http://www.springframework.org/schema/security"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-3.1.xsd" xmlns:beans="http://www.springframework.org/schema/beans">

 <security:http pattern="/admin/**" auto-config="true" use-expressions="true">
    <security:form-login login-page="/admin/login" default-target-url="/admin/dashboard"
                         authentication-failure-url="/admin/loginfailed"/>
    <security:logout logout-success-url="/admin/logout"/>

    <security:intercept-url pattern="/admin/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/admin/login" access="permitAll"/>

    <security:intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>

 </security:http>

 <security:http pattern="/customer/**" auto-config="true" use-expressions="true">
    <security:form-login login-page="/customer/login" default-target-url="/customer/reports"
                         authentication-failure-url="/customer/loginfailed"/>
    <security:logout logout-success-url="/customer/logout"/>
    <security:intercept-url pattern="/customer/j_spring_security_check" access="permitAll"/>
    <security:intercept-url pattern="/customer/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/customer/login" access="permitAll"/>

    <security:intercept-url pattern="/customer/*" access="hasRole('ROLE_ADMIN')"/>

</security:http>


<beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
    <beans:property name="jndiName">
        <beans:value>java:/myDS</beans:value>
    </beans:property>
</beans:bean>

<security:authentication-manager>
    <security:authentication-provider>
        <security:jdbc-user-service data-source-ref="dataSource"
                                    users-by-username-query="SELECT login_name AS username, password, 1 AS enabled
                                        FROM tbl_user WHERE login_name=?"
                                    authorities-by-username-query="SELECT login_name , CASE role_id WHEN 2 THEN 'ROLE_USER' WHEN 1 THEN 'ROLE_ADMIN'ELSE '' END AS authority
            FROM tbl_user WHERE login_name=?"

                />
    </security:authentication-provider>
</security:authentication-manager>

</beans:beans>

Here is my web.xml

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Here is my login.jsp

enter code here
<c:url value="/j_spring_security_check" var="url" />
<form c role="form" action="${url}" method='POST'>
       <div>
           <label>Email</label>

            <div >
               <input type="email"  name="j_username" id="inputEmail3"
                               placeholder="Email">
            </div>
        </div>
        <div >
            <labe>Password</label>

             <div>
                  <input type="password"  name="j_password" id="inputPassword3"
                               placeholder="Password">
             </div>
         </div>

          <div class="form-group">
              <div>
                  <button type="submit">Sign in</button>
              </div>
          </div>
</form>

When I remove the url patterns in the http elements, it's perfectly works. Actually I can't remove both url patterns. I tried by removing "/customer/**" and it works for customer login. But when url pattern is present, j_spring_security_check 404 not fount error occurred.

According to the spring security documentation, we can add multiple http elements with different url patterns.

Please help me to find a solution for this.

Improve this question

1 Answer 1

Reset to default
2

You can add as many http elements as you want, BUT you will also have to change the login-url accordingly. Currently you haven't changed anything leaving the default /j_spring_security_check in place. Whereas you want a /admin/j_spring_security_check and /customer/j_spring_security_check.

To enable this you will need to configure the login-processing-url on the <form-login /> element, just like you specified the login-page attributes. Do this for each http element.

<security:form-login login-page="/admin/login" login-processing-url="/admin/j_spring_security_check" default-target-url="/admin/dashboard" authentication-failure-url="/admin/loginfailed" />
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Sorry for that.. :) I have another problem. I need to authenticate users using two authentication managers. That means admin should authenticate using "authenticateManager1" and customer should authenticate using "authenticateManager2". When I add two authentication managers, only the bottom one works properly. If I put the "authenticateManager1" after "authenticateManager2", only the admin authenticate successfully. What can I do for this?-

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.