Spring Security multiple url ruleset not working together

by

You override your previous matchers, see HttpSecurity.html#antMatcher:

Invoking antMatcher(String) will override previous invocations of mvcMatcher(String)}, requestMatchers(), antMatcher(String), regexMatcher(String), and requestMatcher(RequestMatcher).

and HttpSecurity.html#regexMatcher:

Invoking regexMatcher(String) will override previous invocations of mvcMatcher(String)}, requestMatchers(), antMatcher(String), regexMatcher(String), and requestMatcher(RequestMatcher).

If you want more than one configuration of HttpSecurity, see Spring Security Reference:

We can configure multiple HttpSecurity instances just as we can have multiple <http> blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that start with /api/.

@EnableWebSecurity
public class MultiHttpSecurityConfig {
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) { 1
      auth
          .inMemoryAuthentication()
              .withUser("user").password("password").roles("USER").and()
              .withUser("admin").password("password").roles("USER", "ADMIN");
  }

  @Configuration
  @Order(1)                                                        2
  public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
      protected void configure(HttpSecurity http) throws Exception {
          http
              .antMatcher("/api/**")                               3
              .authorizeRequests()
                  .anyRequest().hasRole("ADMIN")
                  .and()
              .httpBasic();
      }
  }

  @Configuration                                                   4
  public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

      @Override
      protected void configure(HttpSecurity http) throws Exception {
          http
              .authorizeRequests()
                  .anyRequest().authenticated()
                  .and()
              .formLogin();
      }
  }
}

More Related Contents:

  1. Spring Security : Multiple HTTP Config not working
  2. Filter invoke twice when register as Spring bean
  3. Spring security CORS Filter
  4. How to create custom methods for use in spring security expression language annotations
  5. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  6. Configuring Spring Security 3.x to have multiple entry points
  7. How to disable spring security for particular url
  8. Difference between Role and GrantedAuthority in Spring Security
  9. Disable Spring Security for OPTIONS Http Method
  10. How to disable ‘X-Frame-Options’ response header in Spring Security?
  11. How to enable HTTP response caching in Spring Boot
  12. RESTful Authentication via Spring
  13. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  14. Spring webSecurity.ignoring() doesn’t ignore custom filter
  15. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  16. Customize authentication failure response in Spring Security using AuthenticationFailureHandler
  17. Unit testing with Spring Security
  18. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  19. Spring Security, secured and none secured access
  20. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  21. How to apply Spring Security filter only on secured endpoints?
  22. JAAS for human beings
  23. How to use new PasswordEncoder from Spring Security
  24. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  25. How to reload authorities on user update with Spring Security
  26. How do I disable resolving login parameters passed as url parameters / from the url
  27. How do I add method based security to a Spring Boot project?
  28. Disabling a filter for only a few paths
  29. How to secure REST API with Spring Boot and Spring Security?
  30. Why BCryptPasswordEncoder from Spring generate different outputs for same input?

Leave a Comment