How to use multiple login pages one for admin and the other one for user

by

Both security filter chains are not restricted (default is /**).

Spring Security 6

You have to restrict the first one with securityMatcher, see Spring Security Reference:

Multiple HttpSecurity Instances

We can configure multiple HttpSecurity instances just as we can have multiple <http> blocks in XML. The key is to register multiple SecurityFilterChain @Beans. The following example has a different configuration for URL’s that start with /api/.

@Configuration
@EnableWebSecurity
public class MultiHttpSecurityConfig {
  @Bean                                                             
  public UserDetailsService userDetailsService() throws Exception {
      // ensure the passwords are encoded properly
      UserBuilder users = User.withDefaultPasswordEncoder();
      InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
      manager.createUser(users.username("user").password("password").roles("USER").build());
      manager.createUser(users.username("admin").password("password").roles("USER","ADMIN").build());
      return manager;
  }

  @Bean
  @Order(1)                                                        
  public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
      http
          .securityMatcher("/api/**")                                   
          .authorizeHttpRequests(authorize -> authorize
              .anyRequest().hasRole("ADMIN")
          )
          .httpBasic(withDefaults());
      return http.build();
  }

  @Bean                                                            
  public SecurityFilterChain formLoginFilterChain(HttpSecurity http) throws Exception {
      http
          .authorizeHttpRequests(authorize -> authorize
              .anyRequest().authenticated()
          )
          .formLogin(withDefaults());
      return http.build();
  }
}
  1. Configure Authentication as usual.
  2. Create an instance of SecurityFilterChain that contains @Order to specify which SecurityFilterChain should be considered first.
  3. The http.securityMatcher states that this HttpSecurity is applicable only to URLs that start with /api/.
  4. Create another instance of SecurityFilterChain. If the URL does not start with /api/, this configuration is used. This configuration is considered after apiFilterChain, since it has an @Order value after 1 (no @Order defaults to last).

More Related Contents:

  1. Spring Boot Security CORS
  2. Spring Boot CORS filter – CORS preflight channel did not succeed
  3. Prevent Spring Boot from registering a servlet filter
  4. How to get custom user info from OAuth2 authorization server /user endpoint
  5. antMatchers that matches any beginning of path
  6. Spring Security: mapping OAuth2 claims with roles to secure Resource Server endpoints
  7. Spring Boot with embedded Tomcat behind Apache proxy
  8. Spring Boot: How to specify the PasswordEncoder?
  9. How to allow a User only access their own data in Spring Boot / Spring Security?
  10. How to configure CORS in a Spring Boot + Spring Security application?
  11. Filter invoke twice when register as Spring bean
  12. Spring Boot – Loading Initial Data
  13. Spring Boot not serving static content
  14. Springboot/Angular2 – How to handle HTML5 urls?
  15. How Spring Security Filter Chain works
  16. Disable all Database related auto configuration in Spring Boot
  17. How to use OAuth2RestTemplate?
  18. How to enable HTTP response caching in Spring Boot
  19. How to write a custom filter in spring security?
  20. Auto login after successful registration
  21. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  22. Escaping a dot in a Map key in Yaml in Spring Boot
  23. Spring Security 3.2 CSRF disable for specific URLs
  24. Configure Multiple MongoDB repositories with Spring Data Mongo
  25. Spring Boot Data JPA – Modifying update query – Refresh persistence context
  26. Looking for a Simple Spring security example [closed]
  27. Where to handle Exceptions in Spring Applications
  28. Is it possible to invalidate a spring security session?
  29. How to add a custom health check in spring boot health?
  30. @SpringBootTest vs @ContextConfiguration vs @Import in Spring Boot Unit Test

Leave a Comment