具有两个身份验证管理器的 Spring-Security

Question

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">



    <http security="none" pattern="/resources/**"/>
    <http use-expressions="true" auto-config="true" pattern="/rest/sales/**" authentication-manager-ref="salesAuth" disable-url-rewriting="true">
          <intercept-url pattern="/rest/sales/**" access="hasRole('ROLE_SALESMANAGER')"/>
         <form-login login-page="/rest/checkSales/salesLogin" 
            default-target-url="/rest/sales/getSalesManagerHome" 
            authentication-failure-url="/rest/checkSales/adminLogin?error" 
            username-parameter="emailId"
            password-parameter="password" 
            login-processing-url="/auth/ogin_check" 
            always-use-default-target="true" 
            />
        <logout invalidate-session="true" logout-success-url="/rest/check/adminlogout" delete-cookies="JSESSIONID" />
        <csrf />
    </http>

    <!-- enable use-expressions -->
     <http auto-config="true" use-expressions="true" >
        <headers>
            <cache-control />
        </headers>
        <intercept-url pattern="/rest/admin/**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/rest/sales/**" access="hasRole('ROLE_SALESMANAGER')" />
        <form-login login-page="/rest/check/adminLogin" 
            default-target-url="/rest/admin/adminDashBoard" 
            authentication-failure-url="/rest/check/adminLogin?error" 
            username-parameter="emailId"
            password-parameter="password" 
            login-processing-url="/auth/login_check" 
            always-use-default-target="true" 
            />
        <logout invalidate-session="true" logout-success-url="/rest/check/adminlogout" delete-cookies="JSESSIONID" />
        <csrf />
    </http> 

    <!-- Select users and user_roles from database -->
    <authentication-manager erase-credentials="true">
        <authentication-provider >
            <password-encoder ref="encoder" />
            <jdbc-user-service  data-source-ref="dataSource"
                users-by-username-query="select email_id,password, organization_staff_id  from organization_staff where email_id=?"
                authorities-by-username-query="select email_id, staff_type from organization_staff where email_id=?" />
        </authentication-provider>
    </authentication-manager>

    <authentication-manager erase-credentials="true"  alias="salesAuth">
        <authentication-provider >
            <password-encoder ref="encoder" />
            <jdbc-user-service  data-source-ref="dataSource"
                users-by-username-query="select email_id,password, organization_staff_id  from organization_staff where email_id=?"
                authorities-by-username-query="select email_id, staff_type from organization_staff where email_id=?" />
        </authentication-provider>
    </authentication-manager>
    <beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <beans:constructor-arg name="strength" value="10" />
    </beans:bean>
</beans:beans>

问题在于第二个身份验证管理器覆盖了另一个身份验证管理器，即始终执行第二个身份验证管理器。这里我在我的项目中为两个不同的模块使用两个自定义登录页面，或者告诉我如何为一个项目中的两个自定义登录页面应用 Spring Security。

Answer 1

你必须给你的 一个 id 属性而不是别名，否则第二个声明会覆盖第一个声明。然后我认为你应该删除 authentication-manager-ref 属性。

这个问题在老春天forum被问到，Luke Taylor 回答（读过 Spring 安全源码的人都会看到他的名字很多）here