Multiple config files for spring security

Question

Hello all,

I'm quite new to all things spring, and right now I'm developing an application that uses Spring, Spring MVC and Srping Security. My problem is that I'm using two dispatcher servlets, one for /csm/*.html and another one for *.html and I'd like to have one spring security configuration file per servlet. Is this possible at all?, if so, could you point me to an example?.

Thanks in advance,

Xabier.

Answer 1

*This answer relates to springframework 2.5.6, it might have changed in later versions. *

use the pattern /WEB-INF/[servlet-name]-servlet.xml or specify it in the web.xml like this:

<servlet>
  <servlet-name>handler</servlet-name>
  <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
  <init-param>
<!-- override default name {servlet-name}-servlet.xml -->
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-myconfig.xml</param-value>
  </init-param>
  <load-on-startup>2</load-on-startup>
</servlet>

If you do not set the contextConfigLocation it defaults to handler-servlet.xml (at least in this example).

application wide stuff belongs into /WEB-INF/applicationContext.xml. But you also can change the default and even add multiple files:

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
    WEB-INF/spring-dao-hibernate.xml,
    WEB-INF/spring-services.xml,
    WEB-INF/spring-security.xml
  </param-value>
</context-param>

you can find a more specific answer on the spring website, the documentation is quite good.

Answer 2

Hmm, I think I didn't explain myself well. What I'm trying to say, is, that if it's possible to have a config file like:

     <security:http>
            <!-- Restrict URLs based on role -->
            <security:intercept-url pattern="/login*" filters="none"/>
            <security:intercept-url pattern="/logoutSuccess*" filters="none"/>

            <security:intercept-url pattern="/css/*" filters="none"/>
            <security:intercept-url pattern="/js/*"  filters="none"/>
            <security:intercept-url pattern="/img/*" filters="none"/>

            <security:intercept-url pattern="/**" access="ROLE_USER" />

            <!-- Override default login and logout pages -->
            <security:form-login login-page="/login.html" default-target-url="/cpanel.html" 
                                always-use-default-target="true" authentication-failure-url="/login.html"/>
</security:http>

And another one with:

  <security:http>
            <!-- Restrict URLs based on role -->
           <security:intercept-url pattern="/cms/**" access="ROLE_ADMIN" />
</security:http>

some other url patterns and have both take effect.