I have an application providing several REST endpoints and web pages as well.
/products -- REST endpoint
/cutomers -- REST endpoint
/ui/catalog -- Web
/ui/admin -- Web
I want to set up the security so all web starting with /ui/**
are redirected to a login page and all the others (REST) are challenged with 401 and WWW-Authenticate
.
With the following settings the login page is not permitted and 401 with the header is sent:
@Configuration
@Order(20)
@RequiredArgsConstructor
class RestConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.requestMatcher(AnyRequestMatcher.INSTANCE)
.authorizeRequests().anyRequest().fullyAuthenticated();
httpSecurity.
requiresChannel().
requestMatchers(AnyRequestMatcher.INSTANCE).
requiresSecure();
}
}
@Configuration
@Order(10)
@RequiredArgsConstructor
class WebUIConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.antMatcher("/ui/**")
.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll();
}
}
Why this doesn't work? I would expect to be redirected to the login page (it works) and the login page to be 200 (it doesn't work).
Editing the WebUIConfigurationAdapter
as follows solves the problem:
httpSecurity.requestMatchers()
.antMatchers("/ui/**", "/login", "/logout")
.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll();
The URL /login
is set by WebUIConfigurationAdapter
so it is then excluded by RestConfigurationAdapter
.
Thanks @PraveenKumarLalasangi for his comment.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.