Multiple Login Forms

[pledge]

I am maintaining a web application which is the accumulation of a number of legacy applications, and uses Spring Security 3.0.2. I need to combine another application which also uses Spring Security. Each application has its own styled login form and default target url. I have found that I could replace the default-target-url attribute with a authentication-success-handler-ref implementation. However for form-login I only seem to be able to select a single login-page. Is there a way to have separate login pages depending on the path the user was trying to access? I do NOT require that different security permissions are applied, they all use the same decision manger.

Thanks.

[Rob Winch]

Have a look at http@entry-point-ref

[pledge]

Thanks. It seems like the <security:form-login /> element uses LoginUrlAuthenticationEntryPoint. So would subclassing this and override determineUrlToUseForThisRequest be the best choice?

[Rob Winch]

I can't say what the best choice for you would be (without knowing all the details), but that is certainly one way of going about it. Note that if you create the LoginUrlAuthenticationEntryPoint using standard beans the namespace will not apply other properties to it (i.e. forum-login@login-page will be ignored). This means you need to inject everything necessary into the AuthenticationEntryPoint you create using standard spring beans.

PS: I'd strongly consider updating Spring Security to avoid this Security Vulnerability.

[pledge]

I have created my subclass of LoginUrlAuthenticationEntryPoint, but finding it difficult to link in. As you say you need to manually create everything that the form login parser creates. I have been tracing through FormLoginBeanDefinitionParser to try and do this, but there is quite a lot of scope for error as it does quite a bit of work.

Has anyone got the equivalent xml bean definitions to the form-login tag?

[Rob Winch]

Did you read the link I posted? It mentions an example of using a custom AuthenticationEntryPoint.