Spring Security : Multiple HTTP Config not working Spring Security : Multiple HTTP Config not working spring spring

Spring Security : Multiple HTTP Config not working


java spring security spring-mvc spring-security

Look at the Spring Security Reference:

@EnableWebSecuritypublic class MultiHttpSecurityConfig {  @Autowired  public void configureGlobal(AuthenticationManagerBuilder auth) { 1      auth          .inMemoryAuthentication()              .withUser("user").password("password").roles("USER").and()              .withUser("admin").password("password").roles("USER", "ADMIN");  }  @Configuration  @Order(1)                                                        2  public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {      protected void configure(HttpSecurity http) throws Exception {          http              .antMatcher("/api/**")                               3              .authorizeRequests()                  .anyRequest().hasRole("ADMIN")                  .and()              .httpBasic();      }  }      @Configuration                                                   4  public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {      @Override      protected void configure(HttpSecurity http) throws Exception {          http              .authorizeRequests()                  .anyRequest().authenticated()                  .and()              .formLogin();      }  }}

1 Configure Authentication as normal

2 Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.

3 The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/

4 Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

Your second configuration is not used, because your first configuration matches /** (no antMatcher configured). And your first configuration restricts only /admin/**, all other URLs are permitted by default.

java spring security spring-mvc spring-security

Your first WebSecurityConfigurerAdapter's 

http            .authorizeRequests()

matches all the URLs, limit it to only URLs start with /admin by using antMatcher:

@Configuration@Order(1)public static class ProviderSecurity extends WebSecurityConfigurerAdapter{    @Override    protected void configure(HttpSecurity http) throws Exception {        http            .antMatcher("/admin/**")                .authorizeRequests()                .antMatchers("/admin/login").permitAll()                .antMatchers("/admin/**").access("hasRole('BASE_USER')")                .and()                ...

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last