joseJv joseJv - 1 year ago 271
Java Question

Make Interceptors for multiple form-login with different namespace in Spring Security

I have two http patterns, It is corresponding with two login forms . One for User login with namespace default "/", one for Admin login with namespace "/admin".
I have a problem when I make interceptors for each login form.

The errors happened when I inputted wrong url at admin's login form. (eg .../admin/sdfsdfa). I doesn't redirect to admin's login form

"Unable to load page,because Too many redirects".

My spring-security.xml:

<beans:beans xmlns=""
xmlns:beans="" xmlns:xsi=""

<http pattern="/login**" security="none" />
<http pattern="/admin/" security="none" />
<http pattern="/admin/**">
<intercept-url pattern="/**" access="ROLE_ADMIN" />
<form-login login-page="/admin/adminLogin"
default-target-url="/admin/adminAccess" authentication-failure-url="/admin/adminLogin?error"
username-parameter="username" password-parameter="password" />
<logout logout-url="/admin/j_spring_security_logout"
logout-success-url="/adminLogin?logout" />
<intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
<access-denied-handler error-page="/user/403.jsp" />
<form-login login-page="/login" default-target-url="/userAccess"
authentication-failure-url="/login?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<beans:bean id="daoAuthenticationProvider"
<beans:property name="userDetailsService" ref="userDetailsService" />
<beans:bean id="authenticationManager"
<beans:property name="providers">
<beans:ref local="daoAuthenticationProvider" />
<authentication-manager erase-credentials="false">
<authentication-provider user-service-ref="userDetailsService">

When I login with user's login form (namespace default "/"). It works well, It can intercept all requests so We can't access any url without login success. It automatically redirect url into url user's login form.

But when I login with admin's login form (namespace default "/admin").
I see spring-security interceptors work wrong or doesn't work. At namespace of admin "/admin". When I input wrong url (eg .../admin/sdfnsdfe). It doesn't redirect into admin's login form
It display error "Unable to load page,because Too many redirects".
I think url have matched all above patterns, So the errors happened.
Now what things I need do to resolve this problem ?
Do you think I should make namespace for user login is "/user" replace namespace default "/" ?

Answer Source

When you input URL like /admin/sdfsdfa, the URL match a pattern of /admin/** which you define it as a secured resource with <intercept-url pattern="/**" access="ROLE_ADMIN" />.

As the user is not authenticated, he is redirected to the login page /admin/adminLogin. After the redirect, the request URL match the pattern of /admin/** and redirect to /admin/adminLogin again. As a result, you get Too many redirects.

Please try to set your login page of /admin/adminLogin with security="none" and add:

<http pattern="/admin/adminLogin" security="none" />


<http pattern="/admin/**">

This can disable the Security filter chain for the request path of /admin/adminLogin

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download