3

With my team we have written Spring application + SAPUI5 portal using Spring Boot. Web application is divided into three separate locations for example:

webapp: - app1 - app2 - app3

To get access to those applications we implemented login page. Based on user role, we redirect users to exact app.

my spring application security looks like:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/app1/**/*.*")
                .permitAll()
                .antMatchers("/register.html")
                .permitAll()
                //
                .antMatchers("/app2/*.*")
                .hasRole("USER")
                //
                //
                .antMatchers("/login*")
                .permitAll()
                .antMatchers("/soap/*")
                .permitAll()
                .antMatchers("/postLogin")
                .authenticated()
                //
                .antMatchers("/app3/*")
                //.permitAll()
                .hasRole("ADMIN")
                //
                .anyRequest()
                .authenticated()
                // log in
                .and()
                .formLogin()
                .loginPage("/login")
                .failureUrl("/login?error=loginError")
                .defaultSuccessUrl("/postLogin")
                // logout
                .and().logout().logoutUrl("/**/logout")
                .logoutSuccessUrl("/login").deleteCookies("JSESSIONID").and()
                .csrf()
                .disable()

and of course we have class with redirections. Now we must provide for each app , different login page. I tried to configure spring security to accept multiple login form on different pages but it don't work. Is it possible? I read documentation but it is inconclusive.

fap
  • 663
  • 1
  • 5
  • 14
Hubert
  • 41
  • 1
  • 3

1 Answers1

5

You should be able to do this by configuring multiple HttpSecurity objects using different instances. It is similar to this question and the Spring Security documentation here. Basically you define multiple static classes in your configuration class that extend WebSecurityConfigurerAdapter. I am using this myself to configure different types of auth (form/basic) based on the URLS and did a quick test to confirm it. I believe something like this in your example (if I am reading your intent correctly):

@EnableWebSecurity
public class MultiHttpSecurityConfig {

    @Configuration
    @Order(1)
    public static class App1ConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .authorizeRequests()
                    .antMatchers("/app1/**/*.*")
                    .permitAll()
                    .antMatchers("/register.html")
                    .permitAll()
                    .anyRequest()
                    .authenticated()
                    // log in
                    .and()
                    .formLogin()
                    .loginPage("/login")
                    .failureUrl("/login?error=loginError")
                    .defaultSuccessUrl("/postLogin")
                            // logout
                    .and().logout().logoutUrl("/**/logout")
                    .logoutSuccessUrl("/login").deleteCookies("JSESSIONID").and()
                    .csrf()
                    .disable();
        }
    }

    @Configuration
    public static class App2ConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .authorizeRequests()
                    .antMatchers("/app2/*.*")
                    .hasRole("USER")
                            // log in
                    .and()
                    .formLogin()
                    .loginPage("/login2")
                    .failureUrl("/login2?error=loginError")
                    .defaultSuccessUrl("/postLogin")
                            // logout
                    .and().logout().logoutUrl("/**/logout")
                    .logoutSuccessUrl("/login2").deleteCookies("JSESSIONID").and()
                    .csrf()
                    .disable();
        }
    }
}

Note that these are not really different application instances so you won't be redirected to a login if you authenticate as a certain user and then go to an area where you are not authorized.

Community
  • 1
  • 1
Rob Baily
  • 2,770
  • 17
  • 26
  • This does not work for me. The class with the highest order does not display the login page.Using spring boot 1.4.0 – ropo Sep 19 '16 at 14:32
  • 1
    @ropo it is probably best if you create a new question for this with your details as they may be different than what the original user had. You would also need to be more specific about what is happening as the way you worded it here is not very clear. – Rob Baily Sep 19 '16 at 16:06