CODEWITHSUNDEEP
springjspurlspring-security
Dulanga Sashika
Dulanga Sashika

Reputation: 173

j_spring_security_check not invoke when use specific url pattern in http element

I'm trying to implement two security realms using spring security. I am using Spring security 3.1.4 RELEASE and Spring 3.2.0 RELEASE. In my web application there are two users and they should be authenticate separately. Therefore I tried to use multiple http elements to filter url pattern and redirect to corresponding login page.

Here is my Spring-security.xml.

<beans:beans xmlns="http://www.springframework.org/schema/beans"
         xmlns:security="http://www.springframework.org/schema/security"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-3.1.xsd" xmlns:beans="http://www.springframework.org/schema/beans">

 <security:http pattern="/admin/**" auto-config="true" use-expressions="true">
    <security:form-login login-page="/admin/login" default-target-url="/admin/dashboard"
                         authentication-failure-url="/admin/loginfailed"/>
    <security:logout logout-success-url="/admin/logout"/>

    <security:intercept-url pattern="/admin/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/admin/login" access="permitAll"/>

    <security:intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>

 </security:http>

 <security:http pattern="/customer/**" auto-config="true" use-expressions="true">
    <security:form-login login-page="/customer/login" default-target-url="/customer/reports"
                         authentication-failure-url="/customer/loginfailed"/>
    <security:logout logout-success-url="/customer/logout"/>
    <security:intercept-url pattern="/customer/j_spring_security_check" access="permitAll"/>
    <security:intercept-url pattern="/customer/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/customer/login" access="permitAll"/>

    <security:intercept-url pattern="/customer/*" access="hasRole('ROLE_ADMIN')"/>

</security:http>


<beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
    <beans:property name="jndiName">
        <beans:value>java:/myDS</beans:value>
    </beans:property>
</beans:bean>

<security:authentication-manager>
    <security:authentication-provider>
        <security:jdbc-user-service data-source-ref="dataSource"
                                    users-by-username-query="SELECT login_name AS username, password, 1 AS enabled
                                        FROM tbl_user WHERE login_name=?"
                                    authorities-by-username-query="SELECT login_name , CASE role_id WHEN 2 THEN 'ROLE_USER' WHEN 1 THEN 'ROLE_ADMIN'ELSE '' END AS authority
            FROM tbl_user WHERE login_name=?"

                />
    </security:authentication-provider>
</security:authentication-manager>

</beans:beans>

Here is my web.xml

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Here is my login.jsp

enter code here
<c:url value="/j_spring_security_check" var="url" />
<form c role="form" action="${url}" method='POST'>
       <div>
           <label>Email</label>

            <div >
               <input type="email"  name="j_username" id="inputEmail3"
                               placeholder="Email">
            </div>
        </div>
        <div >
            <labe>Password</label>

             <div>
                  <input type="password"  name="j_password" id="inputPassword3"
                               placeholder="Password">
             </div>
         </div>

          <div class="form-group">
              <div>
                  <button type="submit">Sign in</button>
              </div>
          </div>
</form>

When I remove the url patterns in the http elements, it's perfectly works. Actually I can't remove both url patterns. I tried by removing "/customer/**" and it works for customer login. But when url pattern is present, j_spring_security_check 404 not fount error occurred.

According to the spring security documentation, we can add multiple http elements with different url patterns.

Please help me to find a solution for this.

Upvotes: 1

Views: 3618

Answers (1)

M. Deinum
M. Deinum

Reputation: 125232

You can add as many http elements as you want, BUT you will also have to change the login-url accordingly. Currently you haven't changed anything leaving the default /j_spring_security_check in place. Whereas you want a /admin/j_spring_security_check and /customer/j_spring_security_check.

To enable this you will need to configure the login-processing-url on the <form-login /> element, just like you specified the login-page attributes. Do this for each http element.

<security:form-login login-page="/admin/login" login-processing-url="/admin/j_spring_security_check" default-target-url="/admin/dashboard" authentication-failure-url="/admin/loginfailed" />

Upvotes: 2

Related Questions