Spring Security:Multiple Http Config Not Working

Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns

To use multiple WebsecurityConfigurerAdapter, you need restrict them to specific URL patterns using RequestMatcher.

In your case you can set a higher priority for ActuatorSecurityConfig and limit it only to actuator endpoints:

@Order(-1)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .requestMatchers().antMatchers("/actuator/**")
                .and()
                .authorizeRequests().anyRequest().hasRole("ADMIN")
                .and()
                .httpBasic();
    }
}

Creating multiple HTTP sections in Spring Security Java Config

In Spring Security to mimic the behavior of multiple <http> elements from XML in Java config create multiple classes for security configuration. In general it is the best/easiest to create a common security configuration with multiple inner classes for the security definition for HttpSecurity. See here for a sample.

And here the related section in the official Spring Security documentation:

5.7 Multiple HttpSecurity

Problem with configuring multiple HttpSecurity instances

You should use one of the following methods of HttpSecurity at least in one of your filters:

antMatcher(String), mvcMatcher(String), regexMatcher(String), requestMatcher(RequestMatcher), requestMatchers().

This will help you to configure certain HttpSecurity to only be invoked when matching the provided patterns.

You've used the last method in the second filter, but did not provide any matchers to the configurer.

So, try to rewrite your second filterChain like this:

@Bean
public SecurityFilterChain swaggerFilterChain(HttpSecurity http) throws Exception {

    http
            .requestMatchers().antMatchers("/swagger-ui/index.html","/v3/api-docs/","/v3/api-docs")
            .and()
            .authenticationProvider(authenticationProvider())
            .authorizeRequests().anyRequest().authenticated()
            .and()
            .httpBasic();

    return http.build();
}

Also mind that your swaggerFilterChain might be invoked first if you don't want to harcode all other endpoints' urls in the other filter chain - if a request matches a filter with first order it will be the only filter to be applied, so others will be ignored.

So you also need to change the order - place @Order(1) to your swaggerFilterChain and remove this annotation from the other filter chain.

Spring Boot + Security + Multi HTTP Web Configuration

after a lot of reading I found something that works for me:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter {

    @Resource(name = "customUserDetailsService")
    protected CustomUserDetailsService customUserDetailsService;

    @Resource
    private DataSource dataSource;

    @Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(customUserDetailsService);
    }

    @Configuration
    @Order(1)
    public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {
        @Resource(name = "restUnauthorizedEntryPoint")
        private RestUnauthorizedEntryPoint restUnauthorizedEntryPoint;
        @Resource(name = "restAccessDeniedHandler")
        private RestAccessDeniedHandler restAccessDeniedHandler;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityXAuthConfigurerAdapter = new XAuthTokenConfigurer(
                    userDetailsServiceBean());

            // @formatter:off
            http
                .antMatcher("/api/**").csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .exceptionHandling()
                    .authenticationEntryPoint(restUnauthorizedEntryPoint)
                    .accessDeniedHandler(restAccessDeniedHandler)
                .and()
                    .authorizeRequests()
                        .antMatchers(HttpMethod.POST, "/api/authenticate").permitAll()
                        .anyRequest().hasRole("ADMIN")
                        .and()
                        .apply(securityXAuthConfigurerAdapter);
            // @formatter:on
        }
    }

    @Configuration
    @Order(2)
    public static class WebConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            // @formatter:off
            http
                .authorizeRequests()
                    .antMatchers("/", "/home").permitAll()
                    .anyRequest().authenticated()
                    .and()
                    .formLogin()
                        .loginPage("/login").permitAll()
                    .and()
                    .logout().permitAll()
            ;
            // @formatter:on
        }
    }
}

---

Related Topics