Multi Login Functions with Spring Security

OnDemand · June 16, 2025, 8:59am

Hi there, we are trying to setup a second login view to accept logins from other user groups.

Example:
first usergroup is customer
second user group is seller

both usergroups logindata are stored in the database. We only want to have second loginview, but there it comes to problems with redirection. It looks like Vaadin only allows only one Security Config.

we tried to create a second “SecurityForntendSeller” like below and wanted to make it http.securityMatcher("/customer/**") but when i login as seller, i get redirected to the /customer/login

@EnableWebSecurity
@Configuration
@Order(2) 
public class SecurityConfigFrontend extends VaadinWebSecurity {
    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    LoginAttemptService loginAttemptService;

    @Autowired
    AzureKeyVaultService azureKeyVaultService;

    private static final String[] PUBLIC_ENDPOINTS = {
            "/images/**",
            "/application/health/**",
            "/swagger-ui/**",
            "/v3/**",
            "/css/**",
            "/js/**",
            "/font-awesome/**",
            "/img/**",
            "/fonts/**"
    };

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.securityMatcher("/customer/**")

                .authorizeHttpRequests(auth -> auth
                        .requestMatchers(Arrays.stream(PUBLIC_ENDPOINTS)
                                .map(path -> AntPathRequestMatcher.antMatcher(HttpMethod.GET, path))
                                .toArray(AntPathRequestMatcher[]::new)).permitAll()
                )
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .cors(withDefaults())
                .addFilterBefore(new JwtAuthenticationFilter(azureKeyVaultService), UsernamePasswordAuthenticationFilter.class);

        http.authenticationProvider(customAuthenticationProvider());

        super.configure(http);
        setLoginView(http, LoginView.class, "/logout");
        setStatelessAuthentication(http, new SecretKeySpec(Base64.getDecoder().decode(azureKeyVaultService.getSecret(AzureKeyEnum.VAADIN_JWT_KEY)), JwsAlgorithms.HS256), "igp.wp", 86400);
    }

    @Bean
    public AuthenticationManager authenticationManager(HttpSecurity http, CustomAuthenticationProvider customAuthProvider) throws Exception {
        return http.getSharedObject(AuthenticationManagerBuilder.class)
                .authenticationProvider(customAuthProvider)
                .build();
    }

    @Bean
    public CustomAuthenticationProvider customAuthenticationProvider() {
        return new CustomAuthenticationProvider(userDetailsService, encoder(), loginAttemptService, azureKeyVaultService);
    }

    @Bean("authProvider")
    public DaoAuthenticationProvider authProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(userDetailsService);
        authProvider.setPasswordEncoder(encoder());
        return authProvider;
    }

    @Bean(name = "encoder")
    public PasswordEncoder encoder() {
        return new BCryptPasswordEncoder();
    }
}

Does anyone has an idea of how toi get two logins with seperate security contexts done?

Sindrir · June 16, 2025, 1:38pm

You can take a look at how i got two security context working with hilla

OnDemand · June 17, 2025, 5:59am

I think Hilla uses some other stuff than Spring Security, isnt it?

ollit.1 · June 17, 2025, 6:37am

Hilla uses Spring Security with some Vaadin-specific things defined on top of it in VaadinWebSecurity.

bobobbob5643 · June 17, 2025, 10:18am

Unless you specified something else explicitly, no.