Spring Security : Multiple HTTP Config not working

by

Look at the Spring Security Reference:

@EnableWebSecurity
public class MultiHttpSecurityConfig {
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) { 1
      auth
          .inMemoryAuthentication()
              .withUser("user").password("password").roles("USER").and()
              .withUser("admin").password("password").roles("USER", "ADMIN");
  }

  @Configuration
  @Order(1)                                                        2
  public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
      protected void configure(HttpSecurity http) throws Exception {
          http
              .antMatcher("/api/**")                               3
              .authorizeRequests()
                  .anyRequest().hasRole("ADMIN")
                  .and()
              .httpBasic();
      }
  }    

  @Configuration                                                   4
  public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

      @Override
      protected void configure(HttpSecurity http) throws Exception {
          http
              .authorizeRequests()
                  .anyRequest().authenticated()
                  .and()
              .formLogin();
      }
  }
}

1 Configure Authentication as normal

2 Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.

3 The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/

4 Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

Your second configuration is not used, because your first configuration matches /** (no antMatcher configured). And your first configuration restricts only /admin/**, all other URLs are permitted by default.

More Related Contents:

  1. How to apply Spring Security filter only on secured endpoints?
  2. Filter invoke twice when register as Spring bean
  3. How to get active user’s UserDetails
  4. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  5. How to disable spring security for particular url
  6. Difference between Role and GrantedAuthority in Spring Security
  7. Disable Spring Security for OPTIONS Http Method
  8. How to enable HTTP response caching in Spring Boot
  9. RESTful Authentication via Spring
  10. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  11. How to get the current logged in user object from spring security?
  12. Spring webSecurity.ignoring() doesn’t ignore custom filter
  13. Unit testing with Spring Security
  14. Spring security does not allow CSS or JS resources to be loaded
  15. how to display custom error message in jsp for spring security auth exception
  16. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  17. Spring Security, secured and none secured access
  18. JAAS for human beings
  19. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  20. Spring security added prefix “ROLE_” to all roles name?
  21. Why this Spring application with java-based configuration don’t work properly
  22. Spring REST security – Secure different URLs differently
  23. Custom Authentication Manager with Spring Security and Java Configuration
  24. @RequestBody and @ResponseBody annotations in Spring
  25. Multipart File Upload Using Spring Rest Template + Spring Web MVC
  26. How to bind an object list with thymeleaf?
  27. How to convert a multipart file to File?
  28. how to get param in method post spring mvc?
  29. Spring MVC 4: “application/json” Content Type is not being set correctly
  30. Trigger 404 in Spring-MVC controller?

Leave a Comment