Multiple WebSecurityConfigurerAdapters: JWT authentication and form login in spring security

by

Your WebSecurityConfigurerAdapters will process the incoming requests in order.
Since JWTSecurityConfig is annotated with @Order(1) it will process the requests first.

You have not specified a antMatcher for this Adapter, so it will match all requests.
This means that a request will never reach FormLoginConfigurationAdapter, since JWTSecurityConfig matches them all.

If you want JWTSecurityConfig to only apply to certain requests, you can specify an antMatcher in your security configuration.
Below is an example:

@EnableWebSecurity
public class SecurityConfigurations {

    @Configuration
    @Order(1)
    public class JWTSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
           http
              .requestMatchers(matchers -> matchers
                  .antMatchers("/api/**") // apply JWTSecurityConfig to requests matching "/api/**"
              )
              .authorizeRequests(authz -> authz
                  .anyRequest().authenticated()
              )
              .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
        }
    }

    @Configuration
    public class FormLoginConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
           http
              .authorizeRequests(authz -> authz
                  .anyRequest().authenticated()
              )
              .formLogin();
        }
    }
}

For more details on multiple WebSecurityConfigurerAdapter, you can see the multiple HttpSecurity section in the Spring Security reference docs.

For more details on the difference between authorizeRequests() and requestMatchers(), you can see this Stack Overflow question.

More Related Contents:

  1. Configuring Spring Security 3.x to have multiple entry points
  2. How to manually set an authenticated user in Spring Security / SpringMVC
  3. Customize authentication failure response in Spring Security using AuthenticationFailureHandler
  4. Java: Login to url and download file [closed]
  5. How to implement REST token-based authentication with JAX-RS and Jersey
  6. Spring Security : Multiple HTTP Config not working
  7. Filter invoke twice when register as Spring bean
  8. Spring security CORS Filter
  9. How to create custom methods for use in spring security expression language annotations
  10. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  11. cURL equivalent in JAVA
  12. Spring Boot 2.0.x disable security for certain profile
  13. Authenticating against Active Directory with Java on Linux
  14. How to disable spring security for particular url
  15. Difference between Role and GrantedAuthority in Spring Security
  16. java.io.IOException : No authentication challenges found
  17. RESTful Authentication via Spring
  18. 401 instead of 403 with Spring Boot 2
  19. How to redirect to the homepage if the user accesses the login page after being logged in?
  20. Spring webSecurity.ignoring() doesn’t ignore custom filter
  21. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  22. Unit testing with Spring Security
  23. How to handle authentication popup in Chrome with Selenium WebDriver using Java
  24. Spring Security, secured and none secured access
  25. Is there a way to redirect to another Action class without using on struts.xml
  26. How to handle HTTP authentication using HttpURLConnection?
  27. How to use new PasswordEncoder from Spring Security
  28. Single role multiple IP addresses in Spring Security configuration
  29. Disabling a filter for only a few paths
  30. Cross-Origin Resource Sharing with Spring Security

Leave a Comment