Menu
How to combine Spring HTTP Basic Authentication and Access Token for both would work simultaneously? In my case only configuration with Order(1) does works.
I want that all */api**/* would be accessed only for users with token and */web**/* would be accessed only for login users.
WebSecurityConfig.java
@Configuration
@EnableWebMvcSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/web/**", "/gopr").authenticated().and().authorizeRequests()
.and()
.formLogin().loginPage("/login").permitAll()
.defaultSuccessUrl("/gopr", true).permitAll().and().logout().logoutSuccessUrl("/login").permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
}
Application.java
@SpringBootApplication
@EnableResourceServer
@Order(2)
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
clients.inMemory()
.withClient("my-trusted-client")
.authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit", "client_credentials")
.authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "trust")
.resourceIds("oauth2-resource")
.secret("password")
.accessTokenValiditySeconds(600);
// @formatter:on
}
}
@Configuration
@EnableResourceServer
protected static class ResourceServer extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/web/**", "/login", "/index", "/").permitAll()
.antMatchers("/api/**").authenticated();
/* antMatchers("/web/**", "/gopr").permitAll().antMatchers("/api/**").authenticated(); */
}
}
}
759
Always use 'requestMatchers()' when creating security filters. This way when multiple filter chains are created, only the first filter chain will not be used.
Modify both your WebSecurityConfig.java as :
@Configuration
@EnableWebMvcSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/web/**", "/gopr")
.and()
.authorizeRequests().antMatchers("/web/**", "/gopr").authenticated().
.and()
.formLogin().loginPage("/login").permitAll()
.defaultSuccessUrl("/gopr", true).permitAll().and().logout().logoutSuccessUrl("/login").permitAll();
}
...
}
and your ResourceServer inner class as :
@Configuration
@EnableResourceServer
protected static class ResourceServer extends
ResourceServerConfigurerAdapter {
...
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/api/**").and()
.authorizeRequests().antMatchers("/api/**").authenticated();
}
}
Reference : https://github.com/royclarkson/spring-rest-service-oauth/issues/11
113
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
