Your WebSecurityConfigurerAdapters
will process the incoming requests in order.
Since JWTSecurityConfig
is annotated with @Order(1)
it will process the requests first.
You have not specified a antMatcher
for this Adapter, so it will match all requests.
This means that a request will never reach FormLoginConfigurationAdapter
, since JWTSecurityConfig
matches them all.
If you want JWTSecurityConfig
to only apply to certain requests, you can specify an antMatcher
in your security configuration.
Below is an example:
@EnableWebSecurity
public class SecurityConfigurations {
@Configuration
@Order(1)
public class JWTSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers(matchers -> matchers
.antMatchers("/api/**") // apply JWTSecurityConfig to requests matching "/api/**"
)
.authorizeRequests(authz -> authz
.anyRequest().authenticated()
)
.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
}
@Configuration
public class FormLoginConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authz -> authz
.anyRequest().authenticated()
)
.formLogin();
}
}
}
For more details on multiple WebSecurityConfigurerAdapter
, you can see the multiple HttpSecurity
section in the Spring Security reference docs.
For more details on the difference between authorizeRequests()
and requestMatchers()
, you can see this Stack Overflow question.