结合 OAuth2 与 http 基本认证 spring 安全

Question

I've implemented OAuth2 using spring boot and spring security. Now I've different set of APIs available and I want to use different authentication methods for it. For eg I want to use OAuth2 for /users/** apis and Http Basic Authentication for /admin/** APIs.

However, OAuth2 shouldn't work for /admin/** and HTTP basic shouldn't work for /users/** APIs.

Any help would be great!

Answer 1

In Spring Security you can have multiple filter chains that handle different requests. So you can have one that handles requests to the /users/** uri which will have the Basic Authentication filter, and one that handles requests to /admin/** uri which will have the Oauth2 filters. To set this up, you need 2 instances of the WebSecurityConfigurerAdapter

One for Oauth2

@Configuration
@Order(1)
public static class Oauth2ConfigurationAdapter extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
       http.mvcMatcher("/user/**")
       ...... 

And another for Basic:

@Configuration
@Order(2)
public static class BasicConfigurationAdapter extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
       http.mvcMatcher("/admin/**")
       ...... 

This article explains it in more detail: https://www.baeldung.com/spring-security-multiple-entry-points

Also this code does something similar with Digest auth for /admin and Basic for all other. https://github.com/wlesniak/spring-security-authn-authz-course/tree/master/module_2/mod2_crypto_portfolio_digest