Announcement Announcement Module
Collapse
No announcement yet.
Spring security access control by host Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring security access control by host

    I'm trying to implement spring security in my web application. The problem is that my web can work in two environments, b2b and b2c.

    The b2b environment needs to have spring security control by username and password and b2c only in a few pages.

    For example:
    www.myb2b.com/home -> login required
    www.myb2c.com/home -> no login required
    www.myb2c.com/private/admin -> login required
    The most important filter is the first and the second, the third one it can be achieved by other system.

    How can I do this?

    I'm trying to configure a custom FilterSecurityInterceptor to override doFilter funtion. But I'm having errors for confilcts.

    My appContext-web-security.xml (not completely because is still under development):
    Code:
    <beans:beans
    xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schem...-beans-3.1.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.1.xsd">
        <http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
            <custom-filter position="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurityInterceptor" />
    
            <intercept-url pattern="/**" access="ROLE_USER" />
        </http>
    
        <beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
            <beans:property name="loginFormUrl" value="/login"/>
        </beans:bean>
    
        <beans:bean id="filterSecurityInterceptor" class="com.hotelbeds.tuiuk.web.spring.CustomSecurityInterceptor">
            <beans:property name="observeOncePerRequest" value="true"/>
            <beans:property name="authenticationManager" ref="authenticationManager" />
            <beans:property name="accessDecisionManager" ref="accessDecisionManager" />
        </beans:bean>
    
        <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
            <beans:property name="decisionVoters">
                <beans:list>
                    <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
                </beans:list>
            </beans:property>
        </beans:bean>
    
    
        <authentication-manager alias="authenticationManager">
            <authentication-provider>
                <password-encoder hash="sha-256" />
                <user-service>
                    <user name="admin"
                        password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
                        authorities="ROLE_ADMIN" />
                    <user name="user"
                        password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb"
                        authorities="ROLE_USER" />
                </user-service>
            </authentication-provider>
        </authentication-manager>
    </beans:beans>

  • #2
    Use a custom RequestMatcher implementation and the http@request-matcher-ref attribute.

    Comment

    Working...
    X