0

I use two different WebSecurityConfigurerAdapter configuration for redirect to different login page between admin and user .

Admin page works fine while user page got http status code 405 method not allowed when post username and password data to /login/user interface

I have searched a lot, someone said need to disable csrf , but i have already disabled this.

Here is my code below

@EnableWebSecurity
public class MultiHttpSecurityConfig {

    /**
     * intercept user url
     */
    @Configuration
    @Order(1)
    public static class UserWebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        CustomAuthenticationSuccessHandler successHandler;

        @Autowired
        CustomAuthenticationFailureHandler failureHandler;

        @Autowired
        private CustomAuthenticationProvider customAuthProvider;

        @Autowired
        private CustomUserDetailsService userDetailsService;

        @Value("${my.cookie.timeout}")
        private int cookieTimeOut;


        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable();
            http.requestMatchers()
                .antMatchers("/bbb/**", "/aaa/**")
                .and()
                .authorizeRequests()
                .antMatchers("/**").hasAnyRole("USER");
            http.formLogin()
                .successHandler(successHandler)
                .failureHandler(failureHandler)
                .loginPage("/login/user").permitAll();
            http.logout().permitAll();

            http.rememberMe().key("uniqueAndSecret").tokenValiditySeconds(cookieTimeOut);
        }

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.authenticationProvider(customAuthProvider);
            auth.userDetailsService(userDetailsService);
        }
    }


    /**
     * intercept admin url
     */
    @Configuration
    public static class AdminWebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        CustomAuthenticationSuccessHandler successHandler;

        @Autowired
        CustomAuthenticationFailureHandler failureHandler;

        @Value("${my.cookie.timeout}")
        private int cookieTimeOut;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf().disable();
            http.authorizeRequests()
                .antMatchers("/ccc/**","/dddd").hasAnyRole("ADMIN");
            http.formLogin()
                .successHandler(successHandler)
                .failureHandler(failureHandler)
                .loginPage("/login/admin").permitAll();
            http.logout().permitAll();

            http.rememberMe().key("uniqueAndSecret").tokenValiditySeconds(cookieTimeOut);
        }

        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication()
                .withUser("test").password("test").roles("ADMIN");
        }
    }
}

update: After i add "/login/user" to user pattern , it works ok.

http.requestMatchers()
                .antMatchers("/dl/**", "/reinstall/**","/login/user/**")
                .and()
                .authorizeRequests()
                .antMatchers("/**").hasAnyRole("USER");
            http.formLogin()
                .successHandler(successHandler)
                .failureHandler(failureHandler)
                .loginPage("/login/user").permitAll();

emmmm , i don't quite uderstand this mechanism in spring-security

Buffer
  • 101
  • 1
  • 8

1 Answers1

0

See the answer given in this similar Multiple websecurityconfigureradapter question. You may need to override the AuthenticationManagerBuilder in both instead of autowiring either of them.

tksilicon
  • 3,276
  • 3
  • 24
  • 36