Announcement Announcement Module
No announcement yet.
How to use spring security for multiple site in the same application Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to use spring security for multiple site in the same application

    Hi all,

    I have to secure multiple web site with the same spring security framework, in example i have the following url : > not secure > secured admin role only for this site > not secure > secured admin role only for this site and are both generated inside the same J2EE web application.
    user1 has admin role for mysite1 and user2 has admin role for mysite2. this can be done with the user-service-ref because i have the relation between user and site in the database and the check is done into the overrided method loadUserByUsername.

    With the intercept-url pattern, i cannot get the root domain

    <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />

    So how can i store the url of the current site when the user is logging in the spring security context ?

    i have try the workaround to store the url in the j_username but i have an error with the remember-me cookie (java.lang.NoClassDefFoundError: org/apache/commons/codec/binary/Base64) and i'am sure that this is not the best solution.

    Thanks all for your help !

  • #2
    This sounds a bit tricky, as any session will be shared regardless of which site is requested. You should be able to use the "Host" header to differentiate between the sites (also available as request.getServerName()). How you proceed beyond that will depend on whether you need the site information as part of the running of the app. If you do, you could store the site information in a thread-local variable, for example, as Spring's RequestContext does.

    You would also need to take steps to ensure that a user can't switch sites once they've logged in. For example, you could add a SiteGrantedAuthority to the user's authority list when they log in and add an additional voter to the AccessDecisionManager to check the requested site against this authority value.


    • #3

      Thanks for your answer luke. In fact I don't know how to get the request object inside the method loadUserByUsername() in order to call request.getServerName() as you said. Have you an idea ?

      I'am reading documentation about AccessDecisionManager and i'll try to know how to check the requested site.

      Many thanks for your help.