Adding multiple Spring Security configurations based on pathMatcher

Question

I am trying to setup multiple security configurations that will use different SecurityApiKeyFilter classes based on the pathMatchers, for now I only got 2. One which works for all URLs and one which works only on a URL that contains admin. Initially, you are set as a guest and after that, we will try to authorize you based on ApiKey. However, I am not really able to get it to reach the 2nd SecurityWebFilterChain configuration. Even though the pathMatcher is set as so.

@Bean
@Order(1)
public SecurityWebFilterChain securitygWebFilterChain(ServerHttpSecurity http, 
                                                        ClientService clientService) {
    SecurityWebFilterChain filterChain = http.authorizeExchange()
            .pathMatchers(HttpMethod.GET, "/").permitAll()
            .pathMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .pathMatchers("/**").permitAll()
            .anyExchange().authenticated().and()
            .anonymous().principal("guest").and()
            .addFilterBefore(new SecurityApiKeyFilter(clientService), SecurityWebFiltersOrder.AUTHENTICATION)
            .oauth2ResourceServer().jwt()
            .jwtDecoder(new NimbusReactiveJwtDecoder("/.well-known/jwks.json"))
            .and()
            .and().build();

    return filterChain;
}

@Bean
@Order(2)
public SecurityWebFilterChain sdkJsWebFilterChain(ServerHttpSecurity http,
                                                      ClientService clientService) {
    SecurityWebFilterChain filterChain = http.authorizeExchange()
        .pathMatchers(HttpMethod.OPTIONS, "**/admin/**").permitAll()
        .pathMatchers("**/admin/**").permitAll()
        .anyExchange().authenticated().and()
        .anonymous().principal("guest").and()
        .addFilterBefore(new Admin.SecurityApiKeyFilter(clientService),
            SecurityWebFiltersOrder.AUTHENTICATION)
        .oauth2ResourceServer().jwt()
        .jwtDecoder(new NimbusReactiveJwtDecoder("/.well-known/jwks.json"))
        .and()
        .and().build();

    return filterChain;
}

Thanks.

Answer 1

I guess it is the same behavoir for reactive applications as for servlet applications.

Your second security filter chain is not executed, because only the first matching security filter chain will be invoked, see 9.4. SecurityFilterChain:

9.4. SecurityFilterChain

[...]

In fact, FilterChainProxy can be used to determine which SecurityFilterChain should be used. This allows providing a totally separate configuration for different slices of your application.

In the Multiple SecurityFilterChain Figure FilterChainProxy decides which SecurityFilterChain should be used. Only the first SecurityFilterChain that matches will be invoked. If a URL of /api/messages/ is requested, it will first match on SecurityFilterChain0's pattern of /api/**, so only SecurityFilterChain0 will be invoked even though it also matches on SecurityFilterChainn. If a URL of /messages/ is requested, it will not match on SecurityFilterChain0's pattern of /api/**, so FilterChainProxy will continue trying each SecurityFilterChain. Assuming that no other, SecurityFilterChain instances match SecurityFilterChainn will be invoked.