I have a web application secured with Spring Security that needs two separate login forms. These two login forms need to be totally independent. I mean different login form, different url paths, be able to have a different authentication manager for each one too.

I have looked all over google and there are some ways to do this, but I have read and see some changes the last couple of weeks should make it easy to do this in the latest snapshot versions of the code.

First of all, as this bug is complete SEC-1171 we can now have multiple namespace elements to support multiple filter chain configurations.

Secondly, as this other bug shows SEC-1847 we are now able to select a custom authentication manager for each http tag.

The problem is that I have downloaded, compiled and everything but my xsd doesn’t allow me to create a custom auth manager for each http tag, I also get errors whenever I try to change the login processing url or whenever I try to use a remember me key for each login form.

I started doing something like this:

<!-- Configure realm for administration users -->
<http pattern="/admin/**" auto-config="true" disable-url-rewriting="true" >
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    <form-login login-page="/adminLogin.htm" default-target-url="/" 
                login-processing-url="/loginProcessing" 
                authentication-failure-url="/adminLogin.htm?error" />
    <logout invalidate-session="true" logout-success-url="/" logout-url="/logout" />
<remember-me key="******" user-service-ref="userDetailsService" />
</http>

<!-- Configure realm for standard users -->
<http auto-config="true" disable-url-rewriting="true">
    <intercept-url pattern="/user/**" access="ROLE_USER" />
    <form-login login-page="/login.htm" default-target-url="/" 
                login-processing-url="/loginProcessing" 
                authentication-failure-url="/login.htm?error" />
    <logout invalidate-session="true" logout-success-url="/" logout-url="/logout" />
<remember-me key="******" user-service-ref="userDetailsService" />
</http>

<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService"  >
    <password-encoder ref="passwordEncoder"/>
</authentication-provider>

<authentication-provider>
    <password-encoder ref="passwordEncoder"/>
    <user-service>
                <user name="ned" password="****" authorities="ROLE_USER" />
            <user name="tom" password="****" authorities="ROLE_ADMIN"/>
    </user-service>
</authentication-provider>
</authentication-manager>

I am using the latest snapshot of Spring Security 3.1.

As I said the ideal would be to be able to have two different login forms totally independent using the “new” way that was changed recently on these bugs.

Anybody has worked with this or has any idea?

Thanks in advance.