Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
To use multiple WebsecurityConfigurerAdapter
, you need restrict them to specific URL patterns using RequestMatcher
.
In your case you can set a higher priority for ActuatorSecurityConfig
and limit it only to actuator endpoints:
@Order(-1)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/actuator/**")
.and()
.authorizeRequests().anyRequest().hasRole("ADMIN")
.and()
.httpBasic();
}
}
Creating multiple HTTP sections in Spring Security Java Config
In Spring Security to mimic the behavior of multiple <http>
elements from XML in Java config create multiple classes for security configuration. In general it is the best/easiest to create a common security configuration with multiple inner classes for the security definition for HttpSecurity
. See here for a sample.
And here the related section in the official Spring Security documentation:
5.7 Multiple HttpSecurity
Problem with configuring multiple HttpSecurity instances
You should use one of the following methods of HttpSecurity
at least in one of your filters:antMatcher(String)
, mvcMatcher(String)
, regexMatcher(String)
, requestMatcher(RequestMatcher)
, requestMatchers()
.
This will help you to configure certain HttpSecurity
to only be invoked when matching the provided patterns.
You've used the last method in the second filter, but did not provide any matchers to the configurer.
So, try to rewrite your second filterChain like this:
@Bean
public SecurityFilterChain swaggerFilterChain(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/swagger-ui/index.html","/v3/api-docs/","/v3/api-docs")
.and()
.authenticationProvider(authenticationProvider())
.authorizeRequests().anyRequest().authenticated()
.and()
.httpBasic();
return http.build();
}
Also mind that your swaggerFilterChain
might be invoked first if you don't want to harcode all other endpoints' urls in the other filter chain - if a request matches a filter with first order it will be the only filter to be applied, so others will be ignored.
So you also need to change the order - place @Order(1)
to your swaggerFilterChain
and remove this annotation from the other filter chain.
Spring Boot + Security + Multi HTTP Web Configuration
after a lot of reading I found something that works for me:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfiguration extends GlobalAuthenticationConfigurerAdapter {
@Resource(name = "customUserDetailsService")
protected CustomUserDetailsService customUserDetailsService;
@Resource
private DataSource dataSource;
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService);
}
@Configuration
@Order(1)
public static class ApiConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Resource(name = "restUnauthorizedEntryPoint")
private RestUnauthorizedEntryPoint restUnauthorizedEntryPoint;
@Resource(name = "restAccessDeniedHandler")
private RestAccessDeniedHandler restAccessDeniedHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityXAuthConfigurerAdapter = new XAuthTokenConfigurer(
userDetailsServiceBean());
// @formatter:off
http
.antMatcher("/api/**").csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(restUnauthorizedEntryPoint)
.accessDeniedHandler(restAccessDeniedHandler)
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/api/authenticate").permitAll()
.anyRequest().hasRole("ADMIN")
.and()
.apply(securityXAuthConfigurerAdapter);
// @formatter:on
}
}
@Configuration
@Order(2)
public static class WebConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login").permitAll()
.and()
.logout().permitAll()
;
// @formatter:on
}
}
}
Related Topics
What Is the Default Initialization of an Array in Java
How to Write a Utf-8 File with Java
How to Specify Jackson to Only Use Fields - Preferably Globally
How to Use a Custom Serializer with Jackson
Map Implementation with Duplicate Keys
What Is This: [Ljava.Lang.Object;
Getting the 'External' Ip Address in Java
Intellij Inspection Gives "Cannot Resolve Symbol" But Still Compiles Code
How to Merge Two Sorted Arrays into a Sorted Array
How to Get Current Moment in Iso 8601 Format with Date, Hour, and Minute
How to Catch an Exception from a Thread
The JPA Hashcode()/Equals() Dilemma
What Does the Java Assert Keyword Do, and When Should It Be Used
Jformattedtextfield Is Not Properly Cleared