1

I have a web application using spring security in order to manage authentication. My client has 2 login forms, my spring security config is as follows:

<http auto-config="true" use-expressions="true" create-session="always">
        <intercept-url pattern="/**"  access="permitAll" />

        <form-login login-processing-url="/user/login" login-page="/user/login/unauthorized" 
            default-target-url="/user/firstLogin" authentication-failure-url="/user/login/failure" />

        <form-login login-processing-url="/user/relogin" login-page="/user/login/unauthorized" 
            default-target-url="/user/reLoginFromClient" authentication-failure-url="/user/login/failure" />

        <logout logout-url="/user/logout/spring" logout-success-url="/user/logout/success" />
        <access-denied-handler ref="accessDeniedHandler"/>
    </http>

The first form-login element works fine i.e. i am able to login from the /user/login URL. However, when i try to login from the second url /user/relogin, i get a 415:unsupported media type response from the server.

Note that if i switch the two elements, the one that is on top works fine and the bottom one results in a 415 response.

I did as suggested in the selected answer, my configuration now looks like this:

<http auto-config="true" use-expressions="true" create-session="always" authentication-manager-ref="authenticationManager">
        <intercept-url pattern="/**"  access="permitAll" />
        <custom-filter after="SECURITY_CONTEXT_FILTER" ref="reLoginFilter"/>
        <form-login login-processing-url="/user/login" login-page="/user/login/unauthorized" 
            default-target-url="/user/firstLogin" authentication-failure-url="/user/login/failure" />
        <logout logout-url="/user/logout/spring" logout-success-url="/user/logout/success" />
        <access-denied-handler ref="accessDeniedHandler"/>  
    </http>

    <beans:bean id="reLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="filterProcessesUrl" value="/user/relogin"/>
        <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
        <beans:property name="authenticationFailureHandler" ref="authenticationFailHandler" />
    </beans:bean> 

    <beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/user/relogin/success"/>
    </beans:bean>

    <beans:bean id="authenticationFailHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/user/login/failure"/>
    </beans:bean>
Improve this question
2
  • Just out of curiosity, what are your reasons for using auto-config="true" and create-session="always" ? Commented Feb 26, 2013 at 15:40
  • @Luke, probably none. I need to first validate this before i remove them. Commented Feb 27, 2013 at 10:13

1 Answer 1

Reset to default
1

You can't use multiple <form-login> elements within a single <http> element.

Instead you could use one and add a second by defining a UsernamePasswordAuthenticationFilter bean and inserting it using the custom-filter element.

You should also probably remove the auto-config. Creating a session for every request is also rarely required, so I would remove the create-session attribute too, unless you are sure you need it.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks Luke, ill try the UsernamePasswordAuthenticationFilter.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.