I have a single WAR that runs two servlets. One provides AMF remoting to Flex clients and other SOAP/HTTP to web service clients. I currently have Spring Security configured to authenticate the Flex clients using DaoAuthenticationProvider. However, I'd like to use a different authentication provide for the SOAP/HTTP. Possibly basic authentication or some other form.
Is it possible? or do I need two WARs?
I think you'll run into problems issues with instantiating two security filter chains. The problem is that the <http> element constructs a security filter chain with a hard-wired bean name ("springSecurityFilterChain"). If you have more than one active <http> element in the webapp's spring configs, this is likely to fail.
In theory you could work around this by not using the SpringSecurity namespace and configuring the filter chains "by hand" using plain Spring XML wiring of the SpringSecurity classes. In practice, configuring SpringSecurity that way is hard.
You might be able to start two separate securityChains, I don't know if you'll run into the issues Stephen outlines.
If you filter on two different url patterns corresponding to the two servlet url patterns you should be able to filter appropriately.
<filter>
<filter-name>flexSpringSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>flexSpringSecurityFilterChain</filter-name>
<url-pattern>/messagebroker/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>webSpringSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>webSpringSecurityFilterChain</filter-name>
<url-pattern>/web/*</url-pattern>
</filter-mapping>