Can I have multiple security contexts with spring security?

Question

I have one security context definition that uses PreAuthenticatedProcessingFilterEntryPoint for the flex part of my application. How can I have another definition that will use standard form login with html forms for another part of my application? Here's what I currently have:

    <?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"&gt;


    <http auto-config="true" access-denied-page="/admin/access-denied">
        <intercept-url pattern="/admin/login*" filters="none"/>
          <intercept-url pattern="/admin/access-denied" filters="none"/>
        <intercept-url pattern="/admin/**/*" access="ROLE_ADMIN"  />
        <form-login login-page="/admin/login" authentication-failure-url="/admin/login?login_error=1"
           default-target-url="/admin/index" login-processing-url="/admin/login-process"/>
        <logout logout-success-url="/admin/login"/>

    </http>

<global-method-security  jsr250-annotations="enabled" />

    <beans:bean id="preAuthenticatedEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" >
    </beans:bean>


    <beans:bean id="userAccountManager" class="com.mycomp.service.managers.jpa.UserAccountJpaManager" />
    <beans:bean id="userService" class="com.mycomp.auth.DefaultUserDetailsService" />
    <beans:bean id="defaultPasswordEncoder" class="com.mycomp.auth.DefaultPasswordEncoder" />

    <authentication-provider user-service-ref="userService">
        <password-encoder ref="defaultPasswordEncoder"/>
    </authentication-provider>


</beans:beans>

What I'd like to do is use another authentication provider for the urls that are in the admin site, the one I currently have is for the flex application. So I want the security for the admin urls to use another userDetailsService bean.

Answer 1

It's all about what parts of your application are intercepted by the Spring Security filter chain. Somewhere in your xml configuration (depending on if you did the simple tag config or not) there is an intercept regex like this :

<intercept-url pattern="/**" ...>

You can have different intercept patterns that use different configurations (aka different parts of the security filter chain). I could give you a more concrete answer if you post your current configuration xml.

EDIT: Currently you are using the http tag to define your Spring Security configuration. This tag is used as a shortcut/helper and it auto defines a lot of pieces of the Security Filter chain that can also be setup manually. I think your use case does not fit the auto setup paradigm so you will need to manually setup the filter chain for different URL patterns (as seen in the post below mine). You can create your own PreAuthenticationFilter (which will take a custom UserDetailsService) and add that where appropriate to your filter chain intercept mapping.

Answer 2

Map each filter chain to a diferent URL pattern:

<bean id="myfilterChainProxy" class="org.springframework.security.util.FilterChainProxy">
 <security:filter-chain-map pathType="ant">
 <security:filter-chain pattern="/flex" filters="filterF"/>
 <security:filter-chain pattern="/**" filters="filter1,filter2,filter3"/>
</security:filter-chain-map>
</bean>