add entry points (#1413)

spring-security-mvc-boot/src/main/java/org/baeldung/multipleentrypoints/MultipleEntryPointsSecurityConfig.java

@@ -9,6 +9,10 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 @Configuration
 @EnableWebSecurity
@@ -31,10 +35,17 @@ public class MultipleEntryPointsSecurityConfig {
             //@formatter:off
             http.antMatcher("/admin/**")
                 .authorizeRequests().anyRequest().hasRole("ADMIN")
-                .and().httpBasic()
+                .and().httpBasic().authenticationEntryPoint(authenticationEntryPoint())    
                 .and().exceptionHandling().accessDeniedPage("/403");
             //@formatter:on
         }
+        
+        @Bean
+        public AuthenticationEntryPoint authenticationEntryPoint(){
+            BasicAuthenticationEntryPoint entryPoint = new  BasicAuthenticationEntryPoint();
+            entryPoint.setRealmName("admin realm");
+            return entryPoint;
+        }
     }
 
     @Configuration
@@ -42,17 +53,31 @@ public class MultipleEntryPointsSecurityConfig {
     public static class App2ConfigurationAdapter extends WebSecurityConfigurerAdapter {
 
         protected void configure(HttpSecurity http) throws Exception {
+            
             //@formatter:off
             http.antMatcher("/user/**")
                 .authorizeRequests().anyRequest().hasRole("USER")              
-                .and().formLogin().loginPage("/userLogin").loginProcessingUrl("/user/login")
+                .and().formLogin().loginProcessingUrl("/user/login")
                 .failureUrl("/userLogin?error=loginError").defaultSuccessUrl("/user/myUserPage")
                 .and().logout().logoutUrl("/user/logout").logoutSuccessUrl("/multipleHttpLinks")
                 .deleteCookies("JSESSIONID")
-                .and().exceptionHandling().accessDeniedPage("/403")
+                .and().exceptionHandling()
+                .defaultAuthenticationEntryPointFor(loginUrlauthenticationEntryPointWithWarning(),  new AntPathRequestMatcher("/user/private/**"))
+                .defaultAuthenticationEntryPointFor(loginUrlauthenticationEntryPoint(), new AntPathRequestMatcher("/user/general/**"))
+                .accessDeniedPage("/403")
                 .and().csrf().disable();
             //@formatter:on
         }
+        
+        @Bean
+        public AuthenticationEntryPoint loginUrlauthenticationEntryPoint(){
+            return new LoginUrlAuthenticationEntryPoint("/userLogin");
+        }
+        
+        @Bean
+        public AuthenticationEntryPoint loginUrlauthenticationEntryPointWithWarning(){
+            return new LoginUrlAuthenticationEntryPoint("/userLoginWithWarning");
+        }
     }
 
     @Configuration

spring-security-mvc-boot/src/main/java/org/baeldung/multipleentrypoints/PagesController.java

@@ -16,10 +16,15 @@ public class PagesController {
         return "multipleHttpElems/myAdminPage";
     }
 
-    @RequestMapping("/user/myUserPage")
+    @RequestMapping("/user/general/myUserPage")
     public String getUserPage() {
         return "multipleHttpElems/myUserPage";
     }
+    
+    @RequestMapping("/user/private/myPrivateUserPage")
+    public String getPrivateUserPage() {
+        return "multipleHttpElems/myPrivateUserPage";
+    }
 
     @RequestMapping("/guest/myGuestPage")
     public String getGuestPage() {
@@ -30,6 +35,11 @@ public class PagesController {
     public String getUserLoginPage() {
         return "multipleHttpElems/login";
     }
+    
+    @RequestMapping("/userLoginWithWarning")
+    public String getUserLoginPageWithWarning() {
+        return "multipleHttpElems/loginWithWarning";
+    }
 
     @RequestMapping("/403")
     public String getAccessDeniedPage() {

spring-security-mvc-boot/src/main/resources/spring-security-multiple-entry.xml

@@ -2,7 +2,7 @@
 <beans xmlns="http://www.springframework.org/schema/beans"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:security="http://www.springframework.org/schema/security"
-	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd
+	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
 		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
 
     <security:authentication-manager>
@@ -14,9 +14,10 @@
         </security:authentication-provider>
     </security:authentication-manager>
     
-    <security:http pattern="/user/**" use-expressions="true" auto-config="true">
-        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
-        <security:form-login login-page="/userLogin" login-processing-url="/user/login" 
+    <security:http pattern="/user/general/**" use-expressions="true" auto-config="true"
+      entry-point-ref="loginUrlAuthenticationEntryPoint">
+        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
+        <security:form-login login-processing-url="/user/general/login" 
           authentication-failure-url="/userLogin?error=loginError"
           default-target-url="/user/myUserPage"/>
         <security:csrf disabled="true"/>
@@ -24,14 +25,41 @@
         <security:logout logout-url="/user/logout" delete-cookies="JSESSIONID" logout-success-url="/multipleHttpLinks"/>
     </security:http>
     
+    <bean id="loginUrlAuthenticationEntryPoint"
+      class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
+      <constructor-arg name="loginFormUrl" value="/userLogin" />
+    </bean>
+     
+     <security:http pattern="/user/private/**" use-expressions="true" auto-config="true"
+       entry-point-ref="loginUrlAuthenticationEntryPointWithWarning">
+        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
+        <security:form-login login-processing-url="/user/private/login" 
+          authentication-failure-url="/userLogin?error=loginError"
+          default-target-url="/user/myUserPage" />
+        <security:csrf disabled="true"/>
+        <security:access-denied-handler error-page="/403"/>
+        <security:logout logout-url="/user/logout" delete-cookies="JSESSIONID" logout-success-url="/multipleHttpLinks"/>
+    </security:http>
+
+    <bean id="loginUrlAuthenticationEntryPointWithWarning"
+       class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
+        <constructor-arg name="loginFormUrl" value="/userLoginWithWarning" />
+     </bean>
+    
     <security:http pattern="/admin/**" use-expressions="true" auto-config="true">
         <security:intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')"/>
-        <security:http-basic/>
+        <security:http-basic entry-point-ref="authenticationEntryPoint" />
         <security:access-denied-handler error-page="/403"/>
      </security:http>
+     
+     <bean id="authenticationEntryPoint"
+       class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
+       <property name="realmName" value="admin realm" />
+     </bean>
     
      <security:http pattern="/**" use-expressions="true" auto-config="true">
         <security:intercept-url pattern="/guest/**" access="permitAll()"/>  
      </security:http>
 
+    
 </beans>

spring-security-mvc-boot/src/main/resources/templates/multipleHttpElems/loginWithWarning.html

@@ -0,0 +1,28 @@
+<html>
+<head></head>
+
+<body>
+    <h1>Login</h1>
+    <h3>Warning! You are about to access sensible data!</h3>
+
+    <form name='f' action="user/login" method='POST'>
+
+        <table>
+            <tr>
+                <td>Username:</td>
+                <td><input type="text" name="username" /></td>
+            </tr>
+            <tr>
+                <td>Password:</td>
+                <td><input type="password" name="password" /></td>
+            </tr>
+			
+            <tr>
+                <td><input name="submit" type="submit" value="submit" /></td>
+            </tr>
+        </table>
+
+    </form>
+
+</body>
+</html>

spring-security-mvc-boot/src/main/resources/templates/multipleHttpElems/multipleHttpLinks.html

@@ -8,7 +8,9 @@
 
 <a th:href="@{/admin/myAdminPage}">Admin page</a>
 <br />
-<a th:href="@{/user/myUserPage}">User page</a>
+<a th:href="@{/user/general/myUserPage}">User page</a>
+<br />
+<a th:href="@{/user/private/myPrivateUserPage}">Private user page</a>
 <br />
 <a th:href="@{/guest/myGuestPage}">Guest page</a>
 

spring-security-mvc-boot/src/main/resources/templates/multipleHttpElems/myPrivateUserPage.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="ISO-8859-1" />
+<title>Insert title here</title>
+</head>
+<body>
+Welcome user to your private page! <a th:href="@{/user/logout}" >Logout</a>
+
+<br /><br />
+<a th:href="@{/multipleHttpLinks}" >Back to links</a>
+</body>
+</html>

spring-security-mvc-boot/src/test/java/org/baeldung/web/MultipleEntryPointsTest.java

@@ -46,9 +46,9 @@ public class MultipleEntryPointsTest {
 
     @Test
     public void whenTestUserCredentials_thenOk() throws Exception {
-        mockMvc.perform(get("/user/myUserPage")).andExpect(status().isFound());
+        mockMvc.perform(get("/user/general/myUserPage")).andExpect(status().isFound());
 
-        mockMvc.perform(get("/user/myUserPage").with(user("user").password("userPass").roles("USER"))).andExpect(status().isOk());
+        mockMvc.perform(get("/user/general/myUserPage").with(user("user").password("userPass").roles("USER"))).andExpect(status().isOk());
 
         mockMvc.perform(get("/admin/myAdminPage").with(user("user").password("userPass").roles("USER"))).andExpect(status().isForbidden());
     }