Have two auth-method for a web application

[blured75]

Hi,

I'm trying to put 2 auth-method using spring security on a web-application. Indeed, I'd like that the servlet A to be authentified using BASIC auth and servlet B using FORM auth.

I try to do this kind of thing in the applicationContext.xml file :

Code:

    <http use-expressions="true">
        <intercept-url pattern="/A" access="user"/>
	<http-basic/>
    </http>

    <http use-expressions="true">
	    <intercept-url pattern="/B" access="user"/>
            <form-login />	
    </http>
...

However when I start tomcat I've got the error

Code:

16:22:13.202 [localhost-startStop-1] ERROR o.s.web.context.ContextLoader - Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChainProxy': Invocation of init metho
d failed; nested exception is java.lang.IllegalArgumentException: A universal match pattern ('/**') is defined  before other patterns in the filter chain, causi
ng them to be ignored. Please check the ordering in your <security:http> namespace or FilterChainProxy bean configuration
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1422) ~[spring-be
ans-3.0.7.RELEASE.jar:3.0.7.RELEASE]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:518) ~[spring-beans
-3.0.7.RELEASE.jar:3.0.7.RELEASE]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:455) ~[spring-beans-3
.0.7.RELEASE.jar:3.0.7.RELEASE]
        at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293) ~[spring-beans-3.0.7.RELEASE.jar:3.0.7.RELEAS
E]

Do you know if what I'm trying to do is ok with Spring or should I put the differents servlet in differents WAR files ?

Regards,
Blured.

[corassick]

Try to copy your url patterns from <intercept-url> tags up to <http> tags. In both cases or at least in the first one.
Then it'll look like:

Code:

    <http pattern="/A" use-expressions="true">
        <intercept-url pattern="/A" access="user"/>
	<http-basic/>
    </http>

    <http pattern="/B" use-expressions="true">
	    <intercept-url pattern="/B" access="user"/>
            <form-login />	
    </http>

As you can see in your logs: "A universal match pattern ('/**') is defined before other patterns in the filter chain". That's because you didn't set any pattern in the first <http> tag, so it means the default pattern "/**". Then, every single request will match the first pattern ( for A servlet ) and the second one will always be ignored.
In my opinion that is the problem here.

[blured75]

Thanks a lot for this info