Multiple http blocks, multiple auth managers. Remember me. All independent.

[tunilopez]

Hello everyone,

I have a web application secured with Spring Security that needs two separate login forms. These two login forms need to be totally independent. I mean different login form, different url paths, be able to have a different authentication manager for each one and be able to have rememer me functionality for both of them.

I have looked all over google and forum and there are some ways to do this, but I have read and see some changes the last couple of weeks should make it easy to do this in the latest snapshot versions of the code and despite there are several posts talking about this, I can't find anywhere a clear way to do this.

First of all, as this bug is complete SEC-1171 we can now have multiple namespace elements to support multiple filter chain configurations.

Secondly, as this other bug shows SEC-1847 we are now able to select a custom authentication manager for each http tag.

The problem is that I have downloaded, compiled and everything but my xsd doesn't allow me to create a custom auth manager for each http tag, I also get errors whenever I try to change the login processing url or whenever I try to use a remember me key for each login form.

I started doing something like this:

Code:

<!-- Configure realm for administration users -->
<http pattern="/admin/**" auto-config="true" disable-url-rewriting="true" >
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <form-login login-page="/adminLogin.htm" default-target-url="/" 
                login-processing-url="/loginProcessing" 
                authentication-failure-url="/adminLogin.htm?error" />
    <logout invalidate-session="true" logout-success-url="/" logout-url="/logout" />
<remember-me key="******" user-service-ref="userDetailsService" />
</http>

<!-- Configure realm for standard users -->
<http auto-config="true" disable-url-rewriting="true">
    <intercept-url pattern="/user/**" access="ROLE_USER" />
    <form-login login-page="/login.htm" default-target-url="/" 
                login-processing-url="/loginProcessing" 
                authentication-failure-url="/login.htm?error" />
    <logout invalidate-session="true" logout-success-url="/" logout-url="/logout" />
<remember-me key="******" user-service-ref="userDetailsService" />
</http>

<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService"  >
    <password-encoder ref="passwordEncoder"/>
</authentication-provider>

<authentication-provider>
    <password-encoder ref="passwordEncoder"/>
    <user-service>
                <user name="ned" password="****" authorities="ROLE_USER" />
            <user name="tom" password="****" authorities="ROLE_ADMIN"/>
    </user-service>
</authentication-provider>
</authentication-manager>

I am using the latest snapshot of Spring Security 3.1.

As I said the ideal would be to be able to create a new authenticationManager and have each http block use one of them. From what I read I should be able to do it.
Also I guess I should have the login-processing-url different between both of them but when I change it and try to access the one I changed I can't. What about remember me? Is it possible in a scenario like this?

Anybody has worked with this or has any idea?

Thanks in advance.

[Rob Winch]

The schema has not been published since these updates (keep in mind this is a snapshot). In the meantime if you want to play around with these features replace the schema location with a reference to the latest schema (i.e. http://git.springsource.org/spring-s...curity-3.1.xsd).

[tunilopez]

Nice, that was one thing that I was not sure of. If the schema was loaded from inside a jar (the snapshot jar would have brought the new schema), or if I was using an "old" one.
I will try to use an authentication manager with the new xsd now. Lets see what happens . Thanks.

[Rob Winch]

Nice, that was one thing that I was not sure of. If the schema was loaded from inside a jar (the snapshot jar would have brought the new schema), or if I was using an "old" one.
I will try to use an authentication manager with the new xsd now. Lets see what happens . Thanks.

In the event it is not obvious, the URL the schema is loaded from comes from your xml declaration (just as it would in any XML document). So the following

Code:

<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:sec="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">

Would change to

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:sec="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/security http://git.springsource.org/spring-security/spring-security/blobs/raw/master/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">

[tunilopez]

Got it. Thank you. When I get home I will test this.

What about the problem I had when having two <form-logins> each one with a different login-processing-url.
I think that this should be possible, right? Because whenever I changed one of them I was getting a Warning with "not-found".

Do you know?