joseJv joseJv - 5 months ago 124
Java Question

Make Interceptors for multiple form-login with different namespace in Spring Security

I have two http patterns, It is corresponding with two login forms . One for User login with namespace default "/", one for Admin login with namespace "/admin".
I have a problem when I make interceptors for each login form.

The errors happened when I inputted wrong url at admin's login form. (eg .../admin/sdfsdfa). I doesn't redirect to admin's login form

"Unable to load page,because Too many redirects".


My spring-security.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<http pattern="/login**" security="none" />
<http pattern="/admin/" security="none" />
<http pattern="/admin/**">
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<form-login login-page="/admin/adminLogin"
login-processing-url="/admin/j_spring_security_check"
default-target-url="/admin/adminAccess" authentication-failure-url="/admin/adminLogin?error"
username-parameter="username" password-parameter="password" />
<logout logout-url="/admin/j_spring_security_logout"
logout-success-url="/adminLogin?logout" />
</http>
<http>
<intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
<access-denied-handler error-page="/user/403.jsp" />
<form-login login-page="/login" default-target-url="/userAccess"
authentication-failure-url="/login?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
</http>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService" />
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider" />
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager erase-credentials="false">
<authentication-provider user-service-ref="userDetailsService">
</authentication-provider>
</authentication-manager>



When I login with user's login form (namespace default "/"). It works well, It can intercept all requests so We can't access any url without login success. It automatically redirect url into url user's login form.

But when I login with admin's login form (namespace default "/admin").
I see spring-security interceptors work wrong or doesn't work. At namespace of admin "/admin". When I input wrong url (eg .../admin/sdfnsdfe). It doesn't redirect into admin's login form
It display error "Unable to load page,because Too many redirects".
I think url have matched all above patterns, So the errors happened.
Now what things I need do to resolve this problem ?
Do you think I should make namespace for user login is "/user" replace namespace default "/" ?

Answer

When you input URL like /admin/sdfsdfa, the URL match a pattern of /admin/** which you define it as a secured resource with <intercept-url pattern="/**" access="ROLE_ADMIN" />.

As the user is not authenticated, he is redirected to the login page /admin/adminLogin. After the redirect, the request URL match the pattern of /admin/** and redirect to /admin/adminLogin again. As a result, you get Too many redirects.

Please try to set your login page of /admin/adminLogin with security="none" and add:

<http pattern="/admin/adminLogin" security="none" />

before

<http pattern="/admin/**">

This can disable the Security filter chain for the request path of /admin/adminLogin