0

I have one login form for user, and another for admin. I want, that user with ROLE_USER can log in only from user's form, and admin only from admin's form. I think that right solving is to create second implementation of userDetailsService. For this I must create two different dispacher servlets for different paths, But as I understand I must create two different authenticationManagers in two different child contexts(dispatcher servlets). It is right solving? Or say me please right decision for creating admin section in spring. Any help is appreciated)

Two different authenticationManagers for two different dispatcherServlet there is I attempted override authenticationManager in child context, and one user answered me that it is impossible. But as sayed in docs:

In the Web MVC framework, each DispatcherServlet has its own WebApplicationContext, which inherits all the beans already defined in the root WebApplicationContext. The root WebApplicationContext should contain all the infrastructure beans that should be shared between your other contexts and Servlet instances. These inherited beans can be overridden in the servlet-specific scope, and you can define new scope-specific beans local to a given Servlet instance.

I can't understand difference between

overriding bean in child context(it is impossible as user answered me)

and

inherited beans can be overridden in the servlet-specific scope

Please explain me this)

Community
  • 1
  • 1
Yuriy
  • 1,370
  • 4
  • 14
  • 30
  • 1
    Wouldn't it be much, much easier to use one login form and do the rest via roles? If an admin logs in, he gets the admin role, a user not. The admin section then can be protected to be only accessible for users with the admin role... – Florian Schaetz Aug 19 '16 at 15:30
  • @FlorianSchaetz but it is for additional protection, for admin I have separate url, and even some malicious user knows username and password of admin, he can't log in, because he don't know about admin url. So as I understand, it is very complicated and needlessly – Yuriy Aug 19 '16 at 15:40
  • So you assume that it is more likely that someone gets admin username and passord than a simple url? Okay... Anyway, it shouldn't be that much of a problem to write your own filter that allows admin login only from a certain login form. No need to create something extremely complex there, just spring security stuff. – Florian Schaetz Aug 19 '16 at 15:47

1 Answers1

0

If these are login forms how would you know prior to a person logging in what role they would have? That is how could you determine if an unauthenticated person should use the user login form versus the admin login form? Like Florian said, you should be able to accomplish logging in both types of users with a single form.

If you want to authorize access to endpoints based on the roles a user has, which I think is what you are really looking for, you would need to create a Configuration class that extends WebSecurityConfigurerAdapter and override the configure(HttpSecurity) method. Here is a simple example of that: https://github.com/wkorando/hateoas-demo-II/blob/master/src/main/java/com/hateoas/demo/config/SpringSecurityConfiguration.java

Billy Korando
  • 225
  • 3
  • 6
  • I wanted to create admin form on very complex url, so simple user can't merely guess it. And about WebSecurityConfigurerAdapter I know) I have already created implementation and have already overrided method) – Yuriy Aug 19 '16 at 15:59