Announcement Announcement Module
Collapse
No announcement yet.
Single form multiple auth providers. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Single form multiple auth providers.

    Hi, I'm trying to use a single login form and multiple authentication providers with spring 3.1. As you may know since spring 3.1 it's possible to use multiple <http> tags.

    This is my spring security settings.
    Code:
    <global-method-security pre-post-annotations="enabled" />
    
    <http pattern="/static/**" security="none" />
    <http pattern="/loggedout.jsp" security="none" />	
    	
    <http  pattern="/secure/extreme/**" use-expressions="true" auto-config="false"  authentication-manager-ref="authenticationManagerVIP" entry-point-ref="authenticationEntryPointVIP" >		
    	<intercept-url pattern="/secure/extreme/**" access="hasRole('ROLE_VIP')" />
    	<custom-filter before="FORM_LOGIN_FILTER" ref="authenticationFilterVIP" />
    	<logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID" />
    	<session-management invalid-session-url="/timeout.jsp">
    		<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    	</session-management>
    	<anonymous/>
    </http>
    
    <http pattern="/secure/**" use-expressions="true" auto-config="true"  authentication-manager-ref="authenticationManagerInternal">
    	<intercept-url pattern="/secure/**" access="isAuthenticated()" />		
    	<form-login />  	
    	<logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID" />
    	<session-management invalid-session-url="/timeout.jsp">
    		<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    	</session-management>
    	<anonymous/>
    </http>	
    	
    <http pattern="/**" security="none" />
    	
    		
    <beans:bean id="authenticationFilterVIP" class="security.VIPAuthenticationFilter">
            <beans:property name="authenticationManager" ref="authenticationManagerVIP" />		
            <beans:property name="authenticationSuccessHandler" ref="successHandler" />
            <beans:property name="authenticationFailureHandler" ref="failureHandler" />
    </beans:bean>
    	
    <beans:bean id="authenticationEntryPointVIP"  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
            <beans:property name="loginFormUrl" value="/login.jsp"/>	  
    </beans:bean>
    	
    <beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
            <beans:property name="defaultTargetUrl" value="/index.jsp" />
    </beans:bean>
    
    <beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
            <beans:property name="defaultFailureUrl" value="/login.jsp?login_error=true" />
    </beans:bean>
    	 
    <authentication-manager id="authenticationManagerVIP" alias="authenticationManagerVIP">
    	<authentication-provider ref="VIPSAuthenticationProvider" />
    </authentication-manager>
    	
    <beans:bean id="VIPSAuthenticationProvider" class="security.VIPUserAuthenticationProvider" />
    
    <beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
         
    <authentication-manager id="authenticationManagerInternal">
    	<authentication-provider>
    		<password-encoder ref="encoder" />
    			<user-service>
    				<user name="rod"
    		password="4efe081594ce25ee4efd9f7067f7f678a347bccf2de201f3adf2a3eb544850b465b4e51cdc3fcdde"
    					authorities="supervisor, user, teller" />				
    			</user-service>
    	</authentication-provider>
    </authentication-manager>
    The issue is that when:
    • I go to /secure/extreme/ it shows me the correct form, however when I submit I always get a
      HTTP Status 404 - /webapp/j_spring_security_check
      .
    • I go to /secure/ it doesn't shows any form (I was expecting the spring default login form), and I always get a
      HTTP Status 404 - /wepabb/spring_security_login
      .
    Any tips?
    Thanks in advance.
    H
    Last edited by helder; Nov 29th, 2012, 06:23 AM.

  • #2
    Your custom filters are only invoked if the <http> element is matched. So for the first FORM_LOGIN_FILTER it must match /secure/extreme/ before the Fitler will even be considered. Then assuming authenticationFilterVIP does some sort of request matching it must match as well. If this confuses you there is a more in depth explanation in the Spring Security Fundamentals presentation

    Comment

    Working...
    X