spring security - mutiple authentications for differnt URL patterns

Question

my application currently has one authentication defined for a specific URL, with a custom filter, where user is authenticated by extracting the user details from the URL (in the query string). This is working fine. Now I want to add a new authentication using an identity certificate for a different URL pattern (the authentication is completely different from the first one, it has a differnt user details service etc). I saw there's already support for x509 cert authentication in spring security. I want to understand what is the best configuration I should do considering the following:

1. I want users access the different URL patterns to be authenticated by the relevant authentication, and not try first with one authentication and if that fails then try the other one. This is why I think I may need 2 different authentication managers?
2. My application must be in HTTPS for all URLs
3. I need to configure tomcat in a way where client authentication is required only for the specific URL pattern, not to all the application.

Here is what I have so far for the first authentication, any help would be appreciated:

security-applicationContext.xml:

<sec:http pattern="/urlAuth1" auto-config="false" entry-point-ref="url1EntryPoint">
    <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" requires-channel="https" />
    <sec:custom-filter position="PRE_AUTH_FILTER" ref="urlPreAuthFilter"/>
</sec:http>
<bean id="urlPreAuthFilter" class="com.myapp.security.UrlPreAuthenticatedFilter">
    <property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="urlPreAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService" ref="urlUserDetailsService" />
</bean>

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="urlPreAuthProvider" />
</sec:authentication-manager>

Thanks!

EDIT - 30.01.13:

I added the following section to my security context.xml. When I debug my app when accessing both URLs patterns, I see that for first URL pattern (/urlAuth1) the getProviders() in the authenticationManager returns just one provider which is the urlPreAuthProvider, and for the second URL pattern (/certAuthTest) it returns two providers - the anonymous and preauthenticatedprovider which I guess are registered by default. For me this is OK since it means each pattern goes through the correct providers. I want to make sure I am not missing anything, does it seem right to you?

<sec:http pattern="/certAuthTest" auto-config="false">
    <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" requires-channel="https" />
    <sec:x509 subject-principal-regex="CN=(.*?)," user-service-ref="certUserDetailsService"/>
</sec:http>

regarding the web.xml configuration for clientAuth, I'll do some more reading and see if this works. Thanks!

Answer 1

You can declare separate authentication manager beans for each URL pattern you want and then assign them to the individual filter chains using the authentication-manager-ref attribute on the <http /> element.

<http pattern="/someapi/**"  authentication-manager-ref="someapiAuthMgr">
    ...
</http>

You can use the standard ProviderManager bean for the individual authentication managers.

To enforce HTTPS for all requests, you can use standard web.xml settings.

Client certificate authentication takes place when the SSL connection is established. So you either have it or you don't. Investigate the clientAuth tomcat connector setting. You can set it to "want" to ask for a client certificate but not require one for the SSL connection to succeed.