Spring Security 3.2.1 Multiple login forms with distinct WebSecurityConfigurerAdapters

Question

I\'m using Spring Security 3.2.1.RELEASE with Spring MVC 4.0.4.RELEASE

I\'m trying to setup Spring Security for a web application that will have two distinct login

Answer 1

The component of the spring login chain that redirects to a login page is the authentication filter, and the filter that get's plugged in when using http.formLogin() is DefaultLoginPageGeneratingFilter.

This filter either redirects to the login url or builds a default basic login page, if no login page url is provided.

What you need then is a custom authentication filter with the logic to define which login page is needed, and then plug it in the spring security chain in place of the single page authentication filter.

Consider creating a TwoPageLoginAuthenticationFilter by subclassing DefaultLoginPageGeneratingFilter and overriding getLoginPageUrl(), and if that is not sufficient then copy the code and modify it to meet your needs.

This filter is a GenericFilterBean, so you can declare it like this:

@Bean
public Filter twoPageLoginAuthenticationFilter() {
    return new TwoPageLoginAuthenticationFilter();
}

then try building only one http configuration and don't set formLogin(), but instead do:

http.addFilterBefore(twoPageLoginAuthenticationFilter, ConcurrentSessionFilter.class);

and this will plug the two form authentication filter in the right place in the chain.