I am trying to use Spring Security and I have a use case where I want different login pages and different set of URLs to be secured.
Here is my configuration:
@Configuration @Order(1) public static class ProviderSecurity extends WebSecurityConfigurerAdapter{ @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home").permitAll() .antMatchers("/admin/login").permitAll() .antMatchers("/admin/**").access("hasRole('BASE_USER')") .and() .formLogin() .loginPage("/admin/login").permitAll() .defaultSuccessUrl("/admin/home") .failureUrl("/admin/login?error=true").permitAll() .usernameParameter("username") .passwordParameter("password") .and() .csrf() .and() .exceptionHandling().accessDeniedPage("/Access_Denied"); } } @Configuration @Order(2) public static class ConsumerSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/consumer/login").permitAll() .antMatchers("/consumer/**").access("hasRole('BASE_USER')") .anyRequest().authenticated() .and() .formLogin() .loginPage("/consumer/login").permitAll() .defaultSuccessUrl("/consumer/home") .failureUrl("/consumer/login?error=true").permitAll() .usernameParameter("username") .passwordParameter("password") .and().csrf() .and() .exceptionHandling().accessDeniedPage("/Access_Denied"); } }
These classes are inner classes of another class MultipleHttpSecurityConfig
that has annotation @EnableWebSecurity
.
The security for admin/**
is working fine, but none of the consumer/**
pages are secured, no redirection is happening for login page. I've searched for other answers but none worked.
When using Java configuration, the way to define multiple security realms is to have multiple @Configuration classes that extend the WebSecurityConfigurerAdapter base class – each with its own security configuration. These classes can be static and placed inside the main config.
The type WebSecurityConfigurerAdapter is deprecatedWell, it's because the developers of Spring framework encourage users to move towards a component-based security configuration.
The @EnableWebSecurity enables the web securities defined by WebSecurityConfigurerAdapter automatically. To override web securities defined by WebSecurityConfigurerAdapter in our Java configuration class, we need to extend this class and override its methods.
Look at the Spring Security Reference:
@EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1 auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") 3 .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration 4 public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); } } }
1 Configure Authentication as normal
2 Create an instance of
WebSecurityConfigurerAdapter
that contains@Order
to specify whichWebSecurityConfigurerAdapter
should be considered first.3 The
http.antMatcher
states that thisHttpSecurity
will only be applicable to URLs that start with/api/
4 Create another instance of
WebSecurityConfigurerAdapter
. If the URL does not start with/api/
this configuration will be used. This configuration is considered afterApiWebSecurityConfigurationAdapter
since it has an@Order
value after1
(no@Order
defaults to last).
Your second configuration is not used, because your first configuration matches /**
(no antMatcher
configured). And your first configuration restricts only /admin/**
, all other URLs are permitted by default.
Your first WebSecurityConfigurerAdapter
's
http .authorizeRequests()
matches all the URLs, limit it to only URLs start with /admin
by using antMatcher
:
@Configuration @Order(1) public static class ProviderSecurity extends WebSecurityConfigurerAdapter{ @Override protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/admin/**") .authorizeRequests() .antMatchers("/admin/login").permitAll() .antMatchers("/admin/**").access("hasRole('BASE_USER')") .and() ...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With