How to put two different login pages?

[gowthamgutha]

I have two different set of users and hence two different login pages in two different urls. Two separate tables for two different types of users, and everything is different for those set of users i.e. the DAO, Services etc. I would also want to change the way, I hash their passwords.

I have added the following in applicationContext-security.xml

Code: Select all

<sec:authentication-manager alias="blMyUserAuthenticationManager">
        <sec:authentication-provider user-service-ref="blMyUserDetailsService">
            <sec:password-encoder ref="blMyPasswordEncoder">
                <sec:salt-source ref="blMySaltSource" />
            </sec:password-encoder>
        </sec:authentication-provider>
</sec:authentication-manager>


Code: Select all

    <!-- Sets the login failure URL -->
    <bean id="blMyAuthenticationFailureHandler" class="org.broadleafcommerce.common.security.BroadleafAuthenticationFailureHandler">
        <constructor-arg value="/login?error=true" />
        <property name="redirectStrategy" ref="blAuthenticationFailureRedirectStrategy" />
    </bean>

    <!-- Sets the login success URL -->
    <bean id="blMyAuthenticationSuccessHandler" class="org.broadleafcommerce.core.web.order.security.BroadleafAuthenticationSuccessHandler">
        <property name="redirectStrategy" ref="blAuthenticationSuccessRedirectStrategy" />
        <property name="defaultTargetUrl" value="/" />
        <property name="targetUrlParameter" value="successUrl" />
        <property name="alwaysUseDefaultTargetUrl" value="false" />
    </bean>


Code: Select all

<sec:form-login login-page='/login/myUser'
            authentication-success-handler-ref="blMyUserAuthenticationSuccessHandler"
            authentication-failure-handler-ref="blMyUserAuthenticationFailureHandler"
            login-processing-url="/myUserLogin_post.htm" />


Do I need to add anything else? I have a doubt on how to add sec:logout

<sec:logout delete-cookies="ActiveID" invalidate-session="true" logout-url="/logout"/>

What is this ActiveID?
Also how to implement my own success and failure handlers?

Thanks in advance. Hope you will reply as soon as possible.

[RapidTransit]

I'm not well versed in Spring security but to avoid moments make sure the different login location is defined under the intercept-url

[gowthamgutha]

I've done something like this..

Code: Select all

      <sec:intercept-url pattern="/myUser**" access="ROLE_MYUSER" requires-channel="https"/>
      <sec:intercept-url pattern="/login/myUser" requires-channel="https"/>
                  
        <!-- Define the login form along with the success and failure handlers -->
        <sec:form-login login-page='/login/myUser'
            authentication-success-handler-ref="blMyUserAuthenticationSuccessHandler"
            authentication-failure-handler-ref="blMyUserAuthenticationFailureHandler"
      />

    <!-- Sets the login failure URL -->
    <bean id="blMyUserAuthenticationFailureHandler" class="org.broadleafcommerce.common.security.BroadleafAuthenticationFailureHandler">
        <constructor-arg value="/login/myUser?error=true" />
        <property name="redirectStrategy" ref="blAuthenticationFailureRedirectStrategy" />
    </bean>

    <!-- Sets the login success URL -->
    <bean id="blMyUserAuthenticationSuccessHandler" class="org.broadleafcommerce.core.web.order.security.BroadleafAuthenticationSuccessHandler">
        <property name="redirectStrategy" ref="blAuthenticationSuccessRedirectStrategy" />
        <property name="defaultTargetUrl" value="/" />
        <property name="targetUrlParameter" value="successUrl" />
        <property name="alwaysUseDefaultTargetUrl" value="false" />
    </bean>



The problem is that when the authentication failed, the url is being redirected to /login?error=true but not /login/myUser?error=true

[RapidTransit]

After taking a look at BroadleafAuthenticationFailureHandler

Code: Select all

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
        String failureUrlParam = StringUtil.cleanseUrlString(request.getParameter("failureUrl"));
        String successUrlParam = StringUtil.cleanseUrlString(request.getParameter("successUrl"));
        String failureUrl = StringUtils.trimToNull(failureUrlParam);

        // Verify that the url passed in is a servlet path and not a link redirecting away from the webapp.
        failureUrl = validateUrlParam(failureUrl);
        successUrlParam = validateUrlParam(successUrlParam);

        if (failureUrl == null) {
            failureUrl = StringUtils.trimToNull(defaultFailureUrl);
        }
        if (failureUrl != null) {
            if (StringUtils.isNotEmpty(successUrlParam)) {
                if (!failureUrl.contains("?")) {
                    failureUrl += "?successUrl=" + successUrlParam;
                } else {
                    failureUrl += "&successUrl=" + successUrlParam;
                }
            }
            saveException(request, exception);
            getRedirectStrategy().sendRedirect(request, response, failureUrl);
        } else {
            super.onAuthenticationFailure(request, response, exception);
        }
    }


The way Broadleaf redirects is based on a passed in form parameter, if there is none it defaults back to the passed in constructor argument.

Also it looks like some things change if it's posted with AJAX, (Which looks for either of these headers: blcAjax and X-Requested-With)
I believe you may still have "failureUrl" form parameter still set to default, But I'm not 100% sure without seeing more of your code.