Combining basic authentication and form login for the same REST Api
You can achieve this easily by using multiple http
configuration as below, this code only explains multiple http configuration. I am assuming that you are well aware of the other essential configurations related to spring security e.g authenticationManger etc.
@EnableWebSecurity public class MultiHttpSecurityCustomConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("user").password("password").roles("USER").and().withUser("admin").password("password") .roles("USER", "ADMIN"); } @Configuration @Order(1) public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/api/**").authorizeRequests().anyRequest().hasRole("ADMIN").and().httpBasic(); } } @Configuration public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().authenticated().and().formLogin(); } }}
Please refer spring security official link: Multiple HttpSecurity
I will also reccomend you to check out Secure REST Services with Spring Security
Feel free to comment if you encounter any problem!
I found out that the previous code snippet is not working in Spring Security 5 because of an issue in the CSRF filter in the Basic authentication filter chain. It is possible to make it work by disabling CSRF for Basic auth.
BTW the override of Basic auth by Form auth is because redirection to /error page which is caused by this CSRF filter issue.
@Configuration @Order(1) public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/api/**") .authorizeRequests() .anyRequest() .hasRole("ADMIN") .and() .httpBasic() .csrf().disable(); } }
One might try with the only ConfigurationAdapter class rather than two, e.g.:
@Overrideprotected void configure(HttpSecurity http) throws Exception { http .cors() .and() .csrf() .disable() .httpBasic() .and() .authorizeRequests() .antMatchers("/login/**").permitAll() .anyRequest().authenticated() .and() .formLogin() ;}