Spring boot and spring security multiple login pages

Question

@EnableWebSecurity
public class MultiHttpSecurityConfig {

@Configuration
@Order(1)
public static class App1ConfigurationAdapter extends WebSecurityConfigurerAdapter         


        

Answer 1

I reckon that the reason why your admin login is not activating is because: first, it is NOT higher in priority.

@Order defines the sort order for an annotated component. The value is optional and represents an order value as defined in the Ordered interface. Lower values have higher priority. The default value is Ordered.LOWEST_PRECEDENCE, indicating lowest priority (losing to any other specified order value).

Second, according to HttpSecurity's Javadoc:

A HttpSecurity is similar to Spring Security's XML element in the namespace configuration. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using requestMatcher(RequestMatcher) or other similar methods.

So try restricting the HttpSecurity object to activate for your admin pages by first configuring the requestMatcher such that:

    http
      .requestMatcher(new AntPathRequestMatcher("/admin/**"))
      .csrf().disable()      
      .authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
      .and().formLogin().loginPage("/adminlogin");