CODEWITHSUNDEEP
javaspringspring-mvcspring-security
Christian Rudolph
Christian Rudolph

Reputation: 1235

How can I configure spring security for multiple servlets?

I would like to use spring security in a spring mvc application that consists of two modules -- a "frontend" and a management module. Both modules have their own dispatcher servlet (with different mappings) so they do have their own web context, but share the same root context.

The management module has its own authentication database and users should be able to log into the "frontend" and management module simultaneously with different credentials. Therefore I implemented two different UserDetailsServices.

I need two different AuthenticationManagers where both are responsible for different urls, corresponding to the servlets mappings.

How can I configure such a setup? Is it possible using java config?

Edit: until now I have the following configuration, which allows me to authorize users for the management module. The "frontend" modules authentication / authorization using the autowired frontendUserDetailsService is still missing.

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private PasswordEncoder passwordEncoder;
    @Autowired
    @Qualifier("frontend")
    private UserDetailsService frontendUserDetailsService;
    @Autowired
    @Qualifier("management")
    private UserDetailsService managementUserDetailsService;

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .userDetailsService(managementUserDetailsService)
                .passwordEncoder(passwordEncoder);
    }

    @Bean
    @Qualifier("management")
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/manage/**")
            .authorizeRequests()
                .anyRequest()
                .hasRole("ADMIN")
                .and()
            .formLogin();
    }
}

Upvotes: 7

Views: 5677

Answers (1)

M. Deinum
M. Deinum

Reputation: 124516

You should create configuration that does a couple of things

  1. Enable the security
  2. Enable security for the frontend
  3. Enable security for the backend

Basically those are 3 different parts of configuration which all require their respective @Configuration class.

Something like the following should work.

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig {

    @Configuration
    @Order(1)
    public static class FrontEndSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Autowired
        private PasswordEncoder passwordEncoder;

        @Autowired
        @Qualifier("frontend")
        private UserDetailsService frontendUserDetailsService;

        @Override
        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth
                .userDetailsService(frontendUserDetailsService)
                    .passwordEncoder(passwordEncoder);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/frontend/**")
                .authorizeRequests()
                    .anyRequest()
                    .hasRole("USER")
                    .and()
                .formLogin();
        }
    }

    @Configuration
    @Order(2)
    public static class BackendSecurityConfiguration extends WebSecurityConfigurerAdapter {

        @Autowired
        private PasswordEncoder passwordEncoder;

        @Autowired
        @Qualifier("management")
        private UserDetailsService managementUserDetailsService;

        @Override
        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth
                .userDetailsService(managementUserDetailsService)
                    .passwordEncoder(passwordEncoder);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/manage/**")
                .authorizeRequests()
                    .anyRequest()
                    .hasRole("ADMIN")
                    .and()
                .formLogin();
        }
    }
}

You probably need to tune the

Upvotes: 7

Related Questions