DEVHIDE
Login Or Sign up

How to define two authentication mechanism for different routes in Spring Security 6?

298 Views Asked by At

All routing files config, except for /actuator/**, the entry point is of type "JwtAuthenticationEntryPoint" (Custom defined)

    @Bean
    @Order(1)
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .csrf(AbstractHttpConfigurer::disable)
            .cors(cors -> {})
            .authorizeHttpRequests(auth ->
                    auth.requestMatchers("**").permitAll().anyRequest().authenticated()
            )
            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .exceptionHandling(handler -> handler.defaultAuthenticationEntryPointFor(entryPoint, new AntPathRequestMatcher("**")))
            .addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
            .headers(headers -> headers.cacheControl(cacheControl -> {}));

        return http.build();
    }

Security config for actuator routes, the entry point is of Type "AuthenticationEntryPoint"

  @Bean
  @Order(2)
  public SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity http) throws Exception {
    http
        .csrf(AbstractHttpConfigurer::disable)
        .cors(cors -> {})
        .authorizeHttpRequests(auth ->
                auth.requestMatchers("/actuator/**").permitAll()
        )
        .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
        .exceptionHandling(handler -> handler.defaultAuthenticationEntryPointFor(entryPoint, new AntPathRequestMatcher("/actuator/**")))
        .anonymous(AbstractHttpConfigurer::disable);

    return http.build();
  }

basically if one bean loads first then it overrides the other one. If I change the swap the order of the beans then actuator would work fine and other routes won't. I assume it is the problem of misconfiguring of entry point of authentication for both routes.

spring spring-boot spring-security spring-3 security-filter
Original Q&A
1

There are 1 best solutions below

1
Simon On BEST ANSWER

A possible approach for resolving this is to use the securityMatcher

Using your example code:

 @Bean
  @Order(2)
  public SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity http) throws Exception {
    http
        .securityMatcher("/actuator")
        .csrf(AbstractHttpConfigurer::disable)
        .cors(cors -> {})
        .authorizeHttpRequests(auth ->
                auth.requestMatchers("/actuator/**").permitAll()
        )
        .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
        .exceptionHandling(handler -> handler.defaultAuthenticationEntryPointFor(entryPoint, new AntPathRequestMatcher("/actuator/**")))
        .anonymous(AbstractHttpConfigurer::disable);

    return http.build();
  }

This will ensure that the provided security chain will only be applied to routes matching the pattern provided.

Related Questions in SPRING

Related Questions in SPRING-BOOT

Related Questions in SPRING-SECURITY

Related Questions in SPRING-3

Related Questions in SECURITY-FILTER

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.