Problem with configuring multiple HttpSecurity instances [duplicate]

Question

I have problem with configuring multiple httpSecurities.
I have some api routes that are protected with JWT tokens.

I want my swagger-ui/index.html route to be protected with basic auth.
I want those API routes to still be protected with JWT token even after user is authenticated with basic auth.

I followed this documetation to create multiple SecurityFilterChains

My problem is whichever FilterChain has @Order(1) works and other FilterChain is completely ignored.
(if filterChain has order 1, routes for products and orders are protected, but swagger-ui/index.html is not protected with basic auth)

Here is my implementation.

@Bean
@Order(1)
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

    http
        .authenticationProvider(authenticationProvider());
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http
        .cors()
            .and()
        .csrf().disable();
    http
        .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/api/products").hasRole("ADMIN")
            .antMatchers(HttpMethod.PUT, "/api/orders").hasRole("ADMIN")
            .antMatchers("/api/**").permitAll();
    http
        .addFilter(new JWTAuthenticationFilter(secret, authenticationManager(authConfig)));
    http
        .addFilterBefore(new JWTAuthorizationFilter(secret), UsernamePasswordAuthenticationFilter.class);

    return http.build();
}

@Bean
public SecurityFilterChain swaggerFilterChain(HttpSecurity http) throws Exception {

    http
        .authenticationProvider(authenticationProvider());
    http
        .requestMatchers()
            .and()
        .authorizeRequests()
            .antMatchers("/swagger-ui/index.html","/v3/api-docs/","/v3/api-docs")
            .authenticated()
            .and()
        .httpBasic();

    return http.build();
}

Answer 1

You should use one of the following methods of HttpSecurity at least in one of your filters:
antMatcher(String), mvcMatcher(String), regexMatcher(String), requestMatcher(RequestMatcher), requestMatchers().
This will help you to configure certain HttpSecurity to only be invoked when matching the provided patterns.

You've used the last method in the second filter, but did not provide any matchers to the configurer.
So, try to rewrite your second filterChain like this:

@Bean
public SecurityFilterChain swaggerFilterChain(HttpSecurity http) throws Exception {

    http
            .requestMatchers().antMatchers("/swagger-ui/index.html","/v3/api-docs/","/v3/api-docs")
            .and()
            .authenticationProvider(authenticationProvider())
            .authorizeRequests().anyRequest().authenticated()
            .and()
            .httpBasic();

    return http.build();
}

Also mind that your swaggerFilterChain might be invoked first if you don't want to harcode all other endpoints' urls in the other filter chain - if a request matches a filter with first order it will be the only filter to be applied, so others will be ignored.
So you also need to change the order - place @Order(1) to your swaggerFilterChain and remove this annotation from the other filter chain.