Configuring Spring Security 3.x to have multiple entry points

Question

You don’t need to create /j_spring_security_check_for_employee and /j_security_check_for_customer filterProcessingUrl.

The default one will work just fine with radio button field idea.

In the custom login LoginFilter, you need to create different tokens for employee and customer.

Here are the steps:

Use default UsernamePasswordAuthenticationToken for employee login.
Create CustomerAuthenticationToken for customer login. Extend AbstractAuthenticationToken so that its class type is distinct from UsernamePasswordAuthenticationToken.

Define a custom login filter:

<security:http>
    <security:custom-filter position="FORM_LOGIN_FILTER" ref="customFormLoginFilter" />
</security:http>

In customFormLoginFilter, override attemptAuthentication as follows (pseudo code):

if (radiobutton_param value employee) {
    UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
    setDetails(whatever);
    return getAuthenticationManager().authenticate(authRequest);
} else if (radiobutton_param value customer) {
    CustomerAuthenticationToken authRequest = new CustomerAuthenticationToken(username, password);
    setDetails(whatever);
    return getAuthenticationManager().authenticate(authRequest);
}

Override supports method in EmployeeCustomAuthenticationProvider to support UsernamePasswordAuthenticationToken.

Override supports method in CustomerCustomAuthenticationProvider to support CustomerAuthenticationToken.

@Override
public boolean supports(Class<?> authentication) {
    return (CustomerAuthenticationToken.class.isAssignableFrom(authentication));
}

Use both providers in authentication-manager:

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="employeeCustomAuthenticationProvider " />
    <security:authentication-provider ref="customerCustomAuthenticationProvider " />
</security:authentication-manager>

Leave a Comment Cancel reply