Results 1 to 5 of 5

Thread: Configuring multiple authentication managers

Hybrid View

  1. Jan 11th, 2013, 05:51 PM #1
    jordanbaucke
    jordanbaucke is offline Junior Member
    Join Date
    Jan 2013
    Posts
    3

    Default Configuring multiple authentication managers

    I have the following configurations in my spring-security.xml

    They both work independently of each other, but not at the same time.

    I've reviewed this thread and it seems to indicate I can use two authentication-manager tags by separating them by an Id attribute.

    However, I believe my original configuration (which came from a archetype project) overrides the default manager (because it doesn't have an Id), but after I implement my second one, I get an exception when I attempt to use the first:

    org.springframework.web.util.NestedServletExceptio n: Request processing failed; nested exception is org.springframework.security.authentication.Authen ticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    With that in mind, what I can I do here so I can use my custom token authentication filter for the /api/** endpoint, while still authenticating the rest of the application with the standard authentication manager, and sharing the user service between them!

    Code:
    <beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:security="http://www.springframework.org/schema/security"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">

	<security:global-method-security
		secured-annotations="enabled" />

	<security:http pattern="/" authentication-manager-ref="defaultSecurityManager"
		auto-config="true" disable-url-rewriting="true" use-expressions="true">
		<security:logout logout-url="/logout" />
		<security:intercept-url pattern="/" access="permitAll" />
		<security:intercept-url pattern="/**"
			access="isAuthenticated()" />
	</security:http>

	<security:http pattern="/api/**"
		authentication-manager-ref="authenticationManager" realm="Protected API"
		use-expressions="true" auto-config="false" create-session="stateless"
		entry-point-ref="CustomAuthenticationEntryPoint">
		<security:custom-filter ref="authenticationTokenProcessingFilter"
			position="FORM_LOGIN_FILTER" />
		<security:intercept-url pattern="/api/authenticate"
			access="permitAll" />
		<security:intercept-url pattern="/api/**"
			access="isAuthenticated()" />
	</security:http>

	<bean id="CustomAuthenticationEntryPoint" class="foo.api.CustomAuthenticationEntryPoint" />

	<bean class="foo.api.AuthenticationTokenProcessingFilter" id="authenticationTokenProcessingFilter">
		<constructor-arg ref="authenticationManager" />
	</bean>

	<security:authentication-manager
		erase-credentials="true" id="defaultSecurityManager">
		<security:authentication-provider
			user-service-ref="userService" />
	</security:authentication-manager>

	<security:authentication-manager
		erase-credentials="true" id="authenticationManager">
		<security:authentication-provider
			user-service-ref="userService" />
	</security:authentication-manager>
</beans>
    Last edited by jordanbaucke; Jan 22nd, 2013 at 02:38 PM.
    Reply With Quote Reply With Quote
  2. Jan 22nd, 2013, 08:41 AM #2
    bojon
    bojon is offline Junior Member
    Join Date
    Aug 2009
    Posts
    2

    Default

    First, I think you have to define a unique id for each of your authentication manager. Then, refer to the corresponding authentication manager that you want to use for a specif http element like this:

    <security:http pattern="/api/**" authentication-manager-ref="authManagerA" .... >
    <security:http pattern="/" authentication-manager-ref="authManagerB" .... >
    Reply With Quote Reply With Quote
  3. Jan 22nd, 2013, 02:39 PM #3
    jordanbaucke
    jordanbaucke is offline Junior Member
    Join Date
    Jan 2013
    Posts
    3

    Default

    Quote Originally Posted by bojon View Post
    First, I think you have to define a unique id for each of your authentication manager. Then, refer to the corresponding authentication manager that you want to use for a specif http element like this:

    <security:http pattern="/api/**" authentication-manager-ref="authManagerA" .... >
    <security:http pattern="/" authentication-manager-ref="authManagerB" .... >
    Ok, I've updated my configuration (See original post)- no change in the results, the default security filter still doesn't work. Same error message.
    Reply With Quote Reply With Quote
  4. Jan 23rd, 2013, 08:43 AM #4
    bojon
    bojon is offline Junior Member
    Join Date
    Aug 2009
    Posts
    2

    Default

    Just noticed something seems to be wrong with the pattern="/"? Should it be pattern="/**" instead?
    Reply With Quote Reply With Quote
  5. Jan 25th, 2013, 10:02 AM #5
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,833

    Default

    If you want to match on everything it should be /**. However, you will need to ensure that the <http pattern="/**" is last since each <http> element is considered in order. Placing /** first will produce an error since /api/** will never be reached.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules