I'm trying to implement a simple spring boot project. I got several REST-Endpoints which I've to secure differently. One has to be secured by Basic Auth, another one with OAuth and one with a custom security implementation.
REST-Endpoints:
From tutorials, I know I've to set the order of the security adapters. My first intention was to set the order in steps of ten (eg @Order(10)
, @Order(20)
) in case I need to add other security filters in between. By doing so I investigated the following behavior:
@Order(10)
and an OAuth filter with @Order(20)
only the OAuth filter works. @Order(1)
or @Order(2)
and an OAuth filter with @Order(4)
both filters works. @Order(3)
I receive an error which says, that order 3 is already in use and cannot be configured twice. So there is a default spring security adapter (or whatever) which has the default order 3. I thought I disable every default spring security behavior by adding @EnableWebSecurity
. After I did not find an answer by google my questions would be:
WebSecurityConfig:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Order(10)
@Configuration
public class BasicAuthConfig extends WebSecurityConfigurerAdapter {
@Value("${security.user.password}")
private String password;
@Value("${security.user.name}")
private String username;
private static final String ROLE_ADMIN = "ADMIN";
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser(username).password(password).roles(ROLE_ADMIN);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.requestMatchers().antMatchers("/basic/**", "/") //
.and().authorizeRequests().anyRequest().authenticated() //
.and().httpBasic();
}
}
@Order(20)
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
protected static class Oauth2ServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
System.out.println("Filter called");
// @formatter:off
http.csrf().disable();
http.authorizeRequests().antMatchers("/application/**").authenticated()
// .antMatchers(GET, "/application/secure").authenticated()
.anyRequest().authenticated();
// @formatter:on
}
// offline token validator
}
This is an old question, but if anyone is still wondering what the issue is, here are my observations:
@EnableResourceServer
imports ResourceServerConfiguration
, which has an order of 3. order 3
resource server configurer, for instance
ResourceServerConfiguration
class does not add any request matchers, but enforces a fallback to anyRequest().authenticated()
if the user has not configured anything).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.