Combining basic authentication and form login for the same REST Api Combining basic authentication and form login for the same REST Api spring spring

Combining basic authentication and form login for the same REST Api


spring authentication spring-security

You can achieve this easily by using multiple http configuration as below, this code only explains multiple http configuration. I am assuming that you are well aware of the other essential configurations related to spring security e.g authenticationManger etc.

    @EnableWebSecurity    public class MultiHttpSecurityCustomConfig {        @Autowired        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {            auth.inMemoryAuthentication().withUser("user").password("password").roles("USER").and().withUser("admin").password("password")                    .roles("USER", "ADMIN");        }        @Configuration        @Order(1)        public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {            protected void configure(HttpSecurity http) throws Exception {                http.antMatcher("/api/**").authorizeRequests().anyRequest().hasRole("ADMIN").and().httpBasic();            }        }        @Configuration        public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {            @Override            protected void configure(HttpSecurity http) throws Exception {                http.authorizeRequests().anyRequest().authenticated().and().formLogin();            }   }}

Please refer spring security official link: Multiple HttpSecurity

I will also reccomend you to check out Secure REST Services with Spring Security

Feel free to comment if you encounter any problem!

spring authentication spring-security

I found out that the previous code snippet is not working in Spring Security 5 because of an issue in the CSRF filter in the Basic authentication filter chain. It is possible to make it work by disabling CSRF for Basic auth.

BTW the override of Basic auth by Form auth is because redirection to /error page which is caused by this CSRF filter issue.

        @Configuration        @Order(1)        public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {            protected void configure(HttpSecurity http) throws Exception {                http.antMatcher("/api/**")                    .authorizeRequests()                    .anyRequest()                    .hasRole("ADMIN")                    .and()                    .httpBasic()                    .csrf().disable();            }        }

spring authentication spring-security

One might try with the only ConfigurationAdapter class rather than two, e.g.:

@Overrideprotected void configure(HttpSecurity http) throws Exception {    http        .cors()            .and()        .csrf()            .disable()        .httpBasic()            .and()        .authorizeRequests()            .antMatchers("/login/**").permitAll()            .anyRequest().authenticated()        .and()            .formLogin()    ;}

Ref.: https://medium.com/@haytambenayed/basic-authentication-and-form-based-authentication-using-spring-security-ed79951dbb2e

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last