Two realms in same application with Spring Security?

Question

We're building a web application that is available to both authenticated and anonymous users. If you decide not to register/login you only have a limited set of features. User authentication is done over OpenID with Spring Security. That works fine.

However, the application also comes with an admin UI that is deployed at <host>/<context-root>/admin. Can we have two separate realms with Spring Security (e.g. basic auth for /admin/**)? How does that have to be configured?

Answer 1

I can't think of a straight forward way to have two realms (and I didn't try it myself):

you may define two filters in your web.xml where each of those has a different spring configuration and ergo an own environment. The global things go into the app config, the realm-specific in the filter config.

if it's only for a different auth method, you could write your own filter which then decides which filter to call.