Multiple login form in spring security

Question

I'm new to the spring and in my project I need to add two login forms to both admins and users through spring security. Up to this point I was able to create one login page successfully. Here is my spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <!-- enable use-expressions -->
    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/welcome*" access="isAnonymous()"/>
        <intercept-url pattern="/signup*" access="isAnonymous()"/>
        <!--<intercept-url pattern="/login*" access="isAnonymous()" />-->
        <intercept-url pattern="/selection" access="isAuthenticated()"/>
        <intercept-url pattern="/dashboard" access="isAuthenticated()"/>

        <!-- access denied page -->
        <access-denied-handler error-page="/403" />
        <form-login
                login-page="/login"
                default-target-url="/selection"
                authentication-failure-url="/login?error"
                username-parameter="username"
                password-parameter="password" />
        <logout logout-success-url="/login?logout"  />
        <!-- enable csrf protection -->
        <csrf/>
    </http>

    <!-- Select users and user_roles from database -->
    <authentication-manager>
        <authentication-provider user-service-ref="myUserDetailsService" >
            <password-encoder hash="plaintext" />
        </authentication-provider>
    </authentication-manager>


    <beans:bean id="myUserDetailsService" class="com.cse.cloud4s.service.MyUserDetailsService"/>
</beans:beans>

web.xml

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-security.xml,
        /WEB-INF/spring-database.xml
    </param-value>
</context-param>


<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

How can I modify the code to use multiple login pages?

Answer 1

You can have as many login pages as you want, but only one default login page the one to which spring security redirects if user is not authenticated - anyway, it would be hard to guess before authentication if user wants to log as admin.

The only rule is that all login pages must submit same fields to same url, and that that url is processed by spring security.

My only question is why do you need multiple login page ? The spring security way is to have privileges attached to login name, not to the way you log in.

Answer 2

From Spring Security 3.1 it is now possible to use multiple http elements to define separate security filter chain configurations for different request patterns. If the pattern attribute is omitted from an http element, it matches all requests. Creating an unsecured pattern is a simple example of this syntax, where the pattern is mapped to an empty filter chain.

For more details refer this Spring Security Documenttation