Spring Security Ability to specify the login urls dynamically (for example based on a tenant)

Expected Behavior

Expected Behavior Offer the possibility to specify custom login-urls depending on the tenant the user initiated the request with.

Current Behavior

The current state allows us to specify only one "login url" for all tenants

I am working on a platform offering multi-tenancy capability. Now there is a request to have custom login pages based on the tenant (tenant Id is present in the incoming request). The ability to compute the login url based on tenant value, would be great plus here. Unfortunately the classes involved in the FormLogin infrastructure that might be extended to add this behavior are "final"-classes.

I would like to thank you too for the amazing work achieved until here.

Comment From: sjohnr

@rlagoue thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow.

Having said that, I understand how important and challenging multi-tenancy support is. There might be opportunities to provide multi-tenancy support directly in the framework or in higher level abstractions, but the issue you're reporting here doesn't seem like the place to discuss that bigger picture. With that in mind, I will just mention that what you are asking for is still achievable with the existing "final" classes through delegation. For example:

public class MultiTenantAuthenticationEntryPoint implements AuthenticationEntryPoint {

    private final Map<String, String> loginUrlPerTenantId;

    public MultiTenantAuthenticationEntryPoint(Map<String, String> loginUrlPerTenantId) {
        this.loginUrlPerTenantId = loginUrlPerTenantId;
    }

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
            throws IOException, ServletException {

        // TODO: Get the tenant identifier...
        String tenantId = "...";
        String loginUrl = this.loginUrlPerTenantId.get(tenantId);

        // Delegate to LoginUrlAuthenticationEntryPoint based on the current tenant
        LoginUrlAuthenticationEntryPoint delegate = new LoginUrlAuthenticationEntryPoint(loginUrl);
        delegate.commence(request, response, authException);
    }
}

This can be plugged into Spring Security like so:

http.exceptionHandling((exceptionHandling) -> exceptionHandling
    .authenticationEntryPoint(new MultiTenantAuthenticationEntryPoint(...))
);

For now, I'm going to close this issue as I feel the login url request here is too narrow for a larger conversation about multi-tenancy. That would be better addressed through a theme issue opened by the Spring Security team or an issue opened by the community with a much broader focus.

Comment From: rlagoue

Thank you @sjohnr

Your suggestion helps a lot.