Multiple Entry Points

[wil2009]

Hi sdavis

I've the exact requirements as yours. Thank you very much for your code snippet!

But how is the second login page "/area2/index.jsp" specified through your code ?

Thank you very much in advance!

[marcKun]

You can't have multiple <form-login> elements in the same configuration so I would recommend replacing this with a customized AuthenticationProcessingFilter and AuthenticationProcessingFilterEntry point instead. The entry point could dynamically determine the login page as you see fit.

Hello Sir,

I wud just lyk to ask some assistance, as i cant get my config to work. How would I configure my application to have multiple AuthenticationProcessingFilter and AuthenticationProcessingFilterEntry point. I tried looking for some docs for spring security, but i cnt find some (i cant locate the previous docs, it always gives me a 404 not found error).
I have 2 login pages: /jsp/Guest.do and /jsp/subaccount/SubaccountIndex.do. Both login forms allow a certain roles to be logged in. . And the resources are also grouped, according to the roles. I have created custom authentication manager for this. my first login page works just fine (/jsp/Guest.do), it only allows a certain user to be logged in. but my second login page (/jsp/subaccount/SubaccountIndex.do) does not work, since everytym i submit the form, it always gives me a 404 Not Found error. Can you please pinpoint where my mistakes are? Thank you very much for the assistance.

Here's my config for security.xml:

PHP Code:

      
    <bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
        <security:filter-chain-map path-type="ant">
            <security:filter-chain filters="none" pattern="/jsp/subaccount/SubaccountIndex.do"/>
            <security:filter-chain filters="none" pattern="/jsp/subaccount/GetCaptchaImage.do"/>
            <security:filter-chain filters="none" pattern="/jsp/subaccount/j_spring_security_check"/>
            <security:filter-chain filters="none" pattern="/jsp/subaccount/j_spring_security_logout"/>
            <security:filter-chain pattern="/jsp/subaccount/**" 
                filters="httpSessionContextIntegrationFilter, subaccountLogoutFilter,
                subaccountAuthenticationProcessingFilter, securityContextHolderAwareRequestFilter,
                subaccountExceptionTranslationFilter, sessionFixationProtectionFilter,
                subaccountFilterSecurityInterceptor" />
            <security:filter-chain pattern="/jsp/**" 
                filters="httpSessionContextIntegrationFilter, logoutFilter, 
                customerAuthenticationProcessingFilter, securityContextHolderAwareRequestFilter, 
                customerExceptionTranslationFilter, sessionFixationProtectionFilter, 
                customerFilterSecurityInterceptor"/>
        </security:filter-chain-map>
    </bean>

    <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
        <property name="allowSessionCreation" value="true" />
        <property name="forceEagerSessionCreation" value="false" />
        <property name="contextClass" value="org.springframework.security.context.SecurityContextImpl" />
    </bean>
    
    <bean id="customerAuthenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
        <property name="invalidateSessionOnSuccessfulAuthentication" value="true" />
        <property name="authenticationManager" ref="customerAuthenticationManager" />
        <property name="authenticationFailureUrl" value="/jsp/Guest.do?error=2" />
        <property name="defaultTargetUrl" value="/jsp/customer/Home.do" />
        <property name="filterProcessesUrl" value="/jsp/j_spring_security_check" />
    </bean>
    
    <bean id="subaccountAuthenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
        <property name="invalidateSessionOnSuccessfulAuthentication" value="true" />
        <property name="authenticationManager" ref="subaccountAuthenticationManager" />
        <property name="authenticationFailureUrl" value="/jsp/subaccount/SubAccountIndex.do?error=2" />
        <property name="defaultTargetUrl" value="/jsp/subaccount/SubAccountHome.do" />
        <property name="filterProcessesUrl" value="/jsp/subaccount/j_spring_security_check" />
    </bean>
    
    <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter" />
    
    <bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
        <constructor-arg value="/jsp/Guest.do" />
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
            </list>
        </constructor-arg>
        <property name="filterProcessesUrl" value="/jsp/j_spring_security_logout" />
    </bean>
    
    <bean id="subaccountLogoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
        <constructor-arg value="/jsp/subaccount/SubAccountIndex.do" />
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
            </list>
        </constructor-arg>
        <property name="filterProcessesUrl" value="/jsp/subaccount/j_spring_security_logout" />
    </bean>
    
    <bean id="customerExceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
        <property name="authenticationEntryPoint">
            <bean class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
                <property name="loginFormUrl" value="/jsp/Guest.do" />
                <property name="forceHttps" value="false" />
            </bean>
        </property>
        <property name="accessDeniedHandler" ref="accessDeniedHandler" />
    </bean>
    
    <bean id="subaccountExceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
        <property name="authenticationEntryPoint">
            <bean class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
                <property name="loginFormUrl" value="/jsp/subaccount/SubAccountIndex.do"/>
                <property name="forceHttps" value="false" />
            </bean>
        </property>
        <property name="accessDeniedHandler" ref="accessDeniedHandler" />
    </bean>
    
    <bean id="accessDeniedHandler" class="org.springframework.security.ui.AccessDeniedHandlerImpl">
        <property name="errorPage" value="/403.jsp"/>
    </bean>
    
    <bean id="sessionFixationProtectionFilter" class="org.springframework.security.ui.SessionFixationProtectionFilter" />
    
    <bean id="customerFilterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
        <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
        <property name="authenticationManager" ref="customerAuthenticationManager" />
        <property name="objectDefinitionSource">
            <security:filter-invocation-definition-source>
                <security:intercept-url pattern="/jsp/*.jsp" access="_NO_ACCESS_" />
                <security:intercept-url pattern="/jsp/customer/*.jsp" access="_NO_ACCESS_"/>
                <security:intercept-url pattern="/jsp/customer/**" access="CUSTOMERS" />
                <security:intercept-url pattern="/jsp/partner/*.jsp" access="_NO_ACCESS_"/>
                <security:intercept-url pattern="/jsp/partner/**" access="PARTNERS" />
            </security:filter-invocation-definition-source>
        </property>
    </bean>
    
    <bean id="subaccountFilterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
        <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
        <property name="authenticationManager" ref="subaccountAuthenticationManager" />
        <property name="objectDefinitionSource">
            <security:filter-invocation-definition-source>
                <security:intercept-url pattern="/jsp/subaccount/*.jsp" access="_NO_ACCESS_"/>
                <security:intercept-url pattern="/jsp/subaccount/*.do" access="SUBACCOUNT"/>
            </security:filter-invocation-definition-source>
        </property>
    </bean>

    <bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions" value="false" />
        <property name="decisionVoters">
            <list>
                <bean class="org.springframework.security.vote.AuthenticatedVoter" />
                <bean class="org.springframework.security.vote.RoleVoter">
                    <property name="rolePrefix" value="" />
                </bean>
            </list>
        </property>
    </bean>
    
    <bean id="customerAuthenticationManager" class="crown.security.CustomerAuthenticationManager">
        <property name="customersService" ref="myService"/>
        <property name="passwordEncoder" ref="passwordEncoder" />
    </bean>
    
    <bean id="subaccountAuthenticationManager" class="crown.security.SubaccountAuthenticationManager">
        <property name="customersService" ref="myService" />
        <property name="passwordEncoder" ref="passwordEncoder" />
    </bean>
    
    <bean id="anonymousAuthentciationProvider" class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
        <property name="key" value="doesNotMatter" />
    </bean>
    
    <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
        <property name="key" value="SpringSecured" />
    </bean>
    
    <bean id="authenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
        <property name="hideUserNotFoundExceptions" value="false" />
        <property name="userDetailsService" ref="customersDao" />
        <property name="passwordEncoder" ref="passwordEncoder" />
    </bean>
</beans> 


and in my web.xml, i have these:

PHP Code:

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter> 
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping> 


[patniemeyer]

<authentication-manager alias='authenticationManagerAlias'/>

<beans:bean id="area2AuthenticationProcessingFilter" class="org.springframework.security.ui.webapp.Auth enticationProcessingFilter">

<beans: property name="filterProcessesUrl" value="/area2/j_spring_security_check_area2" />
<beans: property name="defaultTargetUrl" value="/area2/secure/index.jsp"/>
<beans: property name="authenticationFailureUrl" value="/area2/index.jsp?login_error=1"/>
<beans: property name="authenticationManager" ref="authenticationManagerAlias"/>
<custom-filter after="AUTHENTICATION_PROCESSING_FILTER" />

</beans:bean>

<http>
[INDENT] <form-login login-processing-url="/area1/j_spring_security_check_area1" login-page="/area1/index.jsp" authentication-failure-url="/area1/index.jsp?login_error=1" default-target-url="/area1/secure/index.jsp" />

<intercept-url pattern="/area1/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
<intercept-url pattern="/area2/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

<anonymous />
<logout />
<remember-me key="myUniqueKey" user-service-ref="myUserDetailsService" />
</http>

For the sake of symmetry you can also declare two AuthenticationProcessingFilter beans (one for each area) and then neuter the one in the declarative http section like this:

<security:form-login login-processing-url="/NONE"/>

If you don't have a form-login at all it doesn't work. The only tricky part was that you can't have two filters at the same position so after="xxx" only works once. I resorted to using after and before for the two filter positions... but if I had three I guess I'd have to find a better solution.

This all seems way too hard... I think we should fix this... the http should allow multiple form-login elements.


Pat

[springing]

Does anybody know if this feature is on the roadmap ?
I would also need multiple authentification inside my app.