stackoom
  简体   繁体   中英

How to assign auth success handler to multiple spring security realms

 原文  2016-10-16 10:19:56       java/ spring/ spring-mvc/ authentication/ spring-security

Question

I have the following Spring security configuration class for two separate security realms, the admin area and the frontend area: 

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private CustomUserDetailsServiceImpl userDetailsService;

    @Configuration
    @Order(1)
    public static class AdminAreaConfiguration  extends WebSecurityConfigurerAdapter {
        @Autowired
        private AuthSuccessAdmin authSuccessAdmin; 

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .requestMatcher(new AntPathRequestMatcher("/admin/**"))
                .csrf().disable()  
                .authorizeRequests()
                    .antMatchers("/admin/login/login.html").permitAll()
                    .antMatchers("/admin/**").hasRole("ADMIN")
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/admin/login.html")
                    .permitAll()
                    .successHandler(authSuccessAdmin)
                    .and()
                .logout()
                    .permitAll();

        }
    }

    @Configuration
    @Order(2)
    public static class UserAreaConfiguration  extends WebSecurityConfigurerAdapter {

        @Autowired
        private AuthSuccessFrontend authSuccessFrontend;

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http
                    .requestMatcher(new AntPathRequestMatcher("/**"))
                    .csrf().disable()  
                    .authorizeRequests()
                        .antMatchers("/about", "/register").permitAll()
                        .antMatchers("/**").hasRole("USER")
                        .anyRequest().authenticated()
                        .and()
                    .formLogin()
                        .loginPage("/login")
                        .permitAll()
                        .successHandler(authSuccessFrontend)
                        .and()
                    .logout()
                        .permitAll();
        }
    }
}

When the app is started, the authentication success handler of the admin area is overwritten by the authentication handler of the frontend area, which is loaded after the first. This results in a wrong redirect when logging into the admin area (redirects to url defined in the frontend auth success handler). How can I assign disctinct handlers to the separate configurations?

1 answers

solution1
 1  2016-10-26 15:02:19

The issue seems to be in RequestMatcher pattern. Your USER app has the RequestMatcher pattern '/**'(means anything after / which will include path /admin as well) which will override your ADMIN RequestMatcher pattern /admin/** Change the user RequestMatcher to /user/**

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring security LDAP success handler RememberMe Spring Security: success handler is called multiple times Spring Security / Keycloak: Securing the same request path with multiple realms Spring 4 Security Tiles 3 Custom Success Handler How to integrate Spring security 3 with jboss realms and user roles? Spring security Pre authentication success handler Two realms in same application with Spring Security @configuration Two realms in same application with Spring Security? oauth2 spring-security success and failure handler Why is my spring security not forwarding the request to authentication-success-handler?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM