10

I have one security context definition that uses PreAuthenticatedProcessingFilterEntryPoint for the flex part of my application. How can I have another definition that will use standard form login with html forms for another part of my application? Here's what I currently have:

    <?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">


    <http auto-config="true" access-denied-page="/admin/access-denied">
        <intercept-url pattern="/admin/login*" filters="none"/>
          <intercept-url pattern="/admin/access-denied" filters="none"/>
        <intercept-url pattern="/admin/**/*" access="ROLE_ADMIN"  />
        <form-login login-page="/admin/login" authentication-failure-url="/admin/login?login_error=1"
           default-target-url="/admin/index" login-processing-url="/admin/login-process"/>
        <logout logout-success-url="/admin/login"/>

    </http>

<global-method-security  jsr250-annotations="enabled" />

    <beans:bean id="preAuthenticatedEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" >
    </beans:bean>


    <beans:bean id="userAccountManager" class="com.mycomp.service.managers.jpa.UserAccountJpaManager" />
    <beans:bean id="userService" class="com.mycomp.auth.DefaultUserDetailsService" />
    <beans:bean id="defaultPasswordEncoder" class="com.mycomp.auth.DefaultPasswordEncoder" />

    <authentication-provider user-service-ref="userService">
        <password-encoder ref="defaultPasswordEncoder"/>
    </authentication-provider>


</beans:beans>

What I'd like to do is use another authentication provider for the urls that are in the admin site, the one I currently have is for the flex application. So I want the security for the admin urls to use another userDetailsService bean.

Vasil
  • 36,468
  • 26
  • 90
  • 114
  • I have the same issue...how did this end up? – Dave Sep 22 '10 at 05:19
  • @HDave I'm not sure how the spring security related issue ended up (although I think I solved it somehow see answers below), but in the end I ditched the idea for a java admin interface and redid it completely in Jython in the end most of the application backend for the project went that way. – Vasil Sep 22 '10 at 16:59

3 Answers3

12

It has been tricky to do until recently, but now it is easy!

Spring Security has added support for the scenario in version 3.1. It is currently available as a Release Candidate, implemented by SEC-1171. Details of the syntax are in the manual included with 3.1.

It's pretty simple to use. Basically you just define multiple http elements in your Spring Security configuration, one for each context. We're using it like this:

<!-- Configure realm for system administration users -->
<security:http pattern="/admin/**" create-session="stateless">
    <security:intercept-url pattern='/**' access='ROLE_ADMIN' requires-channel="https" />
    <security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
</security:http>


<!-- Configure realm for standard users -->
<security:http auto-config="true" access-denied-page="/error/noaccess" use-expressions="true" create-session="ifRequired">
    <security:form-login 
            ...
            ...
</security:http>

The key thing to note is the pattern="/admin/**" on the first http element. This tells Spring that all URLs under /admin are subject to that context instead of the default context — and thus URLs under /admin use your preauthorisation filter instead.

gutch
  • 6,959
  • 3
  • 36
  • 53
  • Hi, I have same problem while using multiple `http` elements. I have it mapped with different patterns and still have shared `SecurityContext` between security realms (`http` elements). – michal.kreuzman Sep 28 '12 at 08:51
2

Map each filter chain to a diferent URL pattern:

<bean id="myfilterChainProxy"
   class="org.springframework.security.util.FilterChainProxy">
  <security:filter-chain-map pathType="ant">
  <security:filter-chain pattern="/flex" filters="filterF"/>
  <security:filter-chain pattern="/**" filters="filter1,filter2,filter3"/>
  </security:filter-chain-map>
</bean>
Grzegorz Rożniecki
  • 27,415
  • 11
  • 90
  • 112
rodrigoap
  • 7,405
  • 35
  • 46
  • I suppose this is what I need to do. However I don't know what is the easiest way to define a filter with just a custom authentication provider. – Vasil Jul 02 '09 at 14:06
0

It's all about what parts of your application are intercepted by the Spring Security filter chain. Somewhere in your xml configuration (depending on if you did the simple tag config or not) there is an intercept regex like this : 

<intercept-url pattern="/**" ...>

You can have different intercept patterns that use different configurations (aka different parts of the security filter chain). I could give you a more concrete answer if you post your current configuration xml.

EDIT: Currently you are using the http tag to define your Spring Security configuration. This tag is used as a shortcut/helper and it auto defines a lot of pieces of the Security Filter chain that can also be setup manually. I think your use case does not fit the auto setup paradigm so you will need to manually setup the filter chain for different URL patterns (as seen in the post below mine). You can create your own PreAuthenticationFilter (which will take a custom UserDetailsService) and add that where appropriate to your filter chain intercept mapping.

Gandalf
  • 9,648
  • 8
  • 53
  • 88
  • I've posted my security context configuration. I'd appreciate if you can help me with this. – Vasil Jul 02 '09 at 13:07