Announcement Announcement Module
Collapse
No announcement yet.
Spring Security 3.1.0.RC1: W/ multiple <http…/> elements only 1 AuthenticationManager Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security 3.1.0.RC1: W/ multiple <http…/> elements only 1 AuthenticationManager

    Spring Security 3.1.0.RC1: With multiple <http…/> elements why can I only register one authentication manager?

    I have the following configuration with multiple <http.../> elements (in order to separately support REST authetication via basic auth, and user form login):

    Code:
    <security:http auto-config="false" pattern="/service/**" create-session="never" 
                   entry-point-ref="basicAuthenticationEntryPoint" >
        <security:intercept-url pattern="/service/**" requires-channel="any" access="ROLE_REST_SERVICE" />
        <security:custom-filter position="BASIC_AUTH_FILTER" ref="basicAuthenticationFilter" />
    </security:http>
    
    <security:http auto-config="false" pattern="/**"
                   entry-point-ref="loginUrlAuthenticationEntryPoint" >
        <security:logout logout-url="/logout" />
        <security:anonymous enabled="false"/>
        <security:custom-filter position="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
        <security:custom-filter position="ANONYMOUS_FILTER" ref="anonymousAuthFilter" />
    </security:http>
    In each of my two filters requiring authentication (FORM_LOGIN_FILTER, and BASIC_AUTH_FILTER) I reference two different authentication managers.

    But I get an error that I've already registered an authentication manager.

    Why would I use one authentication manager when I know before hand which Authentication provider is going to be needed for each filter?

    Should I not use the authentication manager and just start my AuthenticationProvider as a bean and pass it into the filter directly as the AuthenticationManager?

  • #2
    Typically if you need multiple methods for authentication, you add multiple AuthenticationProviders each of them are able to perform a different type of authentication.

    Comment


    • #3
      Yes, I have 2 authentication providers. One for my ROLE_REST_SERVICE, and another for normal ROLE_USER/ROLE_ADMIN.

      But the filter calls for an AuthenticationManager.

      But the namespace won't allow me to declare 2 AuthenticationManager(s).

      Seemed odd. So for now I just implemented AuthenticationManager on my AuthenticationProvider (which calls for the same authenticate(...) method as AuthenticationProvider), and I instantiate it as a stand-alone bean.

      But it seemed, perhaps, this was an odd relec of only supporting one <http.../> element in the namespace?

      Or am I still not thinking of this correctly?

      Comment


      • #4
        Were you able to figure this out?

        Comment


        • #5
          Oh gosh, it's been a while now. I think a newer version might have been the answer. I'm on RC3 right now. If that doesn't do it for you reply to this thread again and I'll look a little deeper, I'm a bit swamped right now for digging any more.

          Comment


          • #6
            Since each new http element is tantamount to a new FilterChainProxy, why can't we have separate authemanager for each? What would then be the point. I know each AuthenticationManager can have multiple providers, but they're ordered, it's great for n-factor auth, but I want to be able to group one set of urls to one provider and another to a separate provider. I'd really appreciate any suggestions.

            Comment


            • #7
              Check out https://jira.springsource.org/browse/SEC-1847

              Comment


              • #8
                Thank you.

                Comment

                Working...
                X