Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to add a filter only for one special path WebSecurityConfigurerAdapter

We have a configuration which looks like this:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    public static final String LOGIN_PATH_EXPRESSION = "/login";
    public static final String API_PATH_EXPRESSION = "/api/**/*";
    public static final String GLOBAL_PATH_EXPRESSION = "/**/*";

    @Autowired
    @Qualifier("ssoFilter")
    private Filter ssoFilter;

    @Autowired
    private VerifyingProcessingFilter verifyingProcessingFilter;


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .userDetailsService(username -> new User(username, "", Collections.emptyList()))
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
                .antMatchers(LOGIN_PATH_EXPRESSION)
                .authenticated()
                .and()
                .httpBasic()
                .and()
                .authenticationProvider(new SimpleAuthenticationProvider())
            .authorizeRequests()
                .antMatchers(API_PATH_EXPRESSION).authenticated()
                .and()
                .addFilterBefore(ssoFilter, BasicAuthenticationFilter.class)
                .addFilterAfter(verifyingProcessingFilter, FilteredOAuth2AuthenticationProcessingFilter.class)
            .authorizeRequests()
                .antMatchers(GLOBAL_PATH_EXPRESSION)
                .permitAll()
                .and()
                .csrf()
                .disable();
    }

And recognized that we end inside of the FilteredOAuth2AuthenticationProcessingFilter within a /logincall and asked ourself why this is happening.

The goal is to have the ssoFilter and the verifyingProcessingFilter only applied when hitting an endpoint with the path api/**/*.

Right now we have to add a AntMatching check inside of the filter so it is only applied to the right request but i assume it should be possible to add it only to the matching requests.

Could someone provide an example on how to add a Filter to one specific Ant Matching path request?

like image 436
BennX Avatar asked Aug 22 '17 14:08

BennX


People also ask

How do I register a custom filter in spring boot?

There are three ways to add your filter, Annotate your filter with one of the Spring stereotypes such as @Component. Register a @Bean with Filter type in Spring @Configuration. Register a @Bean with FilterRegistrationBean type in Spring @Configuration.

Is WebSecurityConfigurerAdapter deprecated?

From Spring Boot 2.7, WebSecurityConfigurerAdapter is deprecated.

How do you add a filter before Spring Security?

There are a couple of possible methods: addFilterBefore(filter, class) adds a filter before the position of the specified filter class. addFilterAfter(filter, class) adds a filter after the position of the specified filter class. addFilterAt(filter, class) adds a filter at the location of the specified filter class.


1 Answers

Looks like you can't do that with a single Configuration class. Take a look at this question: How to apply spring security filter only on secured endpoints?.

In this case, I think the better solution is to configure multiple HttpSecurity. From Spring IO documentation:

We can configure multiple HttpSecurity instances just as we can have multiple blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that start with /api/.

The documentation has a full example with the necessary steps to accomplish this:

  1. Configure Authentication as normal
  2. Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.
  3. The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/
  4. Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

Good luck!

like image 121
jfneis Avatar answered Oct 22 '22 23:10

jfneis