Spring boot and spring security multiple login pages

Question

@EnableWebSecurity
public class MultiHttpSecurityConfig {

@Configuration
@Order(1)
public static class App1ConfigurationAdapter extends WebSecurityConfigurerAdapter         


        

Answer 1

I reckon that the reason why your admin login is not activating is because: first, it is NOT higher in priority.

@Order defines the sort order for an annotated component. The value is optional and represents an order value as defined in the Ordered interface. Lower values have higher priority. The default value is Ordered.LOWEST_PRECEDENCE, indicating lowest priority (losing to any other specified order value).

Second, according to HttpSecurity's Javadoc:

A HttpSecurity is similar to Spring Security's XML element in the namespace configuration. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using requestMatcher(RequestMatcher) or other similar methods.

So try restricting the HttpSecurity object to activate for your admin pages by first configuring the requestMatcher such that:

    http
      .requestMatcher(new AntPathRequestMatcher("/admin/**"))
      .csrf().disable()      
      .authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
      .and().formLogin().loginPage("/adminlogin");

Answer 2

I solved it using request matcher:

@Configuration
@EnableWebSecurity
public class AllConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    MyUserDeatailService myuserDetailsService;

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authProvider());
    }

    @Bean
    public static BCryptPasswordEncoder passwordEncoder() {

        return new BCryptPasswordEncoder(4);
    }

    @Bean
    public AuthenticationProvider authProvider() {

        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();

        provider.setUserDetailsService(myuserDetailsService);

        provider.setPasswordEncoder(passwordEncoder());
        return provider;
    }

    @Bean
    public static AuthenticationFailureHandler customAuthenticationFailureHandler() {
        return new CustomAuthenticationFailureHandler();
    }

    @Configuration
    @Order(1)
    public static class AdminSecurityConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.requestMatcher(new AntPathRequestMatcher("/admin/**"))
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
            .and().formLogin()
            .loginPage("/admin/adminlogin").permitAll().usernameParameter("username")
            .passwordParameter("password").defaultSuccessUrl("/admin/AdminDashBoard")
            .failureHandler(customAuthenticationFailureHandler()).and().logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/home").and()
            .exceptionHandling().accessDeniedPage("/403");
        }
    }

    @Configuration
    @Order(2)
    public static class UserSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.requestMatcher(new AntPathRequestMatcher("/user/**"))
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/user/**").access("hasRole('ROLE_USER')").and().formLogin()
            .loginPage("/user/userlogin").permitAll().usernameParameter("username")
            .passwordParameter("password").defaultSuccessUrl("/user/UserDashBoard")
            .failureHandler(customAuthenticationFailureHandler()).and().logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/").and()
            .exceptionHandling().accessDeniedPage("/403");
        }

    }
}