Is there a way to use api key for some end point and use oauth2 for other endpoint in Spring Boot?

Question

I need to secure some end-point with google oauth2 and secure some end-point with api key.

Before I add ApiKeyFilter to AuthConfig, it works as expected. However, when I add the filter, I found the "/secured-with-api-key/**" and "/non-secured/**" works as expected, but the "/secured/**" can be accessed even without the jwt token.

This is the ApiKeyAuthFilter:

public class ApiKeyAuthFilter extends AbstractPreAuthenticatedProcessingFilter {
private static final Logger LOG = LoggerFactory.getLogger(ApiKeyAuthFilter.class);

    private final String apiKeyHeaderName;
    private final String timestampHeaderName;
    private final String signatureHeaderName;
    
    public ApiKeyAuthFilter(String apiKeyHeaderName, String timestampHeaderName, String signatureHeaderName) {
        this.apiKeyHeaderName = apiKeyHeaderName;
        this.timestampHeaderName = timestampHeaderName;
        this.signatureHeaderName = signatureHeaderName;
    }
    
    @Override
    protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
        String apiKey = request.getHeader(apiKeyHeaderName);
        String timestamp = request.getHeader(timestampHeaderName);
        String signature = request.getHeader(signatureHeaderName);
        return new AuthPrincipal(apiKey, timestamp, signature);
    }
    
    @Override
    protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
        // No creds when using API key
        return null;
    }

This is the SimpleAuthenticationManager:

@Component
public class SimpleAuthenticationManager implements AuthenticationManager {

    private static final Logger LOG = LoggerFactory.getLogger(SimpleAuthenticationManager.class);

    @Autowired
    private ApiKeysDatabase apiKeysDatabase;

    @Autowired
    private TokenVerifier tokenVerifier;

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {

        AuthPrincipal principal = (AuthPrincipal) authentication.getPrincipal();
        if (principal.getApikey() == null || principal.getTimestamp() == null || principal.getSignature() == null) {
            throw new BadCredentialsException("The API_KEY/timestamp/signature Header is missing.");
        }
        if (!apiKeysDatabase.isValidKey(principal.getApikey())) {
            throw new BadCredentialsException("The API key was not found or not the expected value.");
        }
        if (!tokenVerifier.isTokenAuthorized(principal)) {
            throw new BadCredentialsException("The signature is invalid");
        }
        authentication.setAuthenticated(true);
        return authentication;
    }
}

This is the AuthConfig:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AuthConfig extends WebSecurityConfigurerAdapter {

    private static final String API_KEY_HEADER_NAME = "API_KEY";
    private static final String TIMESTAMP_HEADER_NAME = "timestamp";
    private static final String SIGNATURE_HEADER_NAME = "signature";

    @Autowired
    private SimpleAuthenticationManager simpleAuthenticationManager;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        ApiKeyAuthFilter filter = new ApiKeyAuthFilter(API_KEY_HEADER_NAME, TIMESTAMP_HEADER_NAME, SIGNATURE_HEADER_NAME);
        filter.setAuthenticationManager(simpleAuthenticationManager);

        http.antMatcher("/secured/**")
                .authorizeRequests()
                .antMatchers("/secured/**")
                .fullyAuthenticated();

        http.antMatcher("/non-secured/**")
                .authorizeRequests()
                .antMatchers("/non-secured/**")
                .permitAll();

        http.antMatcher("/secured-with-api-key/**")
                .addFilter(filter)
                .authorizeRequests()
                .antMatchers("/secured-with-api-key/**")
                .authenticated();

        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        http.cors().and().csrf().disable();

        http.oauth2ResourceServer().jwt();
    }
}

Thanks in advance.

I expected "/secured/**" need jwt to access, "/secured-with-api-key/**" need a api key to access and "/non-secured/**" can access for anyone.

Answer 1

Use two SecurityFilterChain @Beans: one with resource-server configuration (OAuth2, secured with Bearer access-tokens) and an other one for API key. Don't forget to order the two and limit the first loaded one with securityMatcher .

For instance, with filter-chain dedicated to API-key (all routes starting with /secured-with-api-key/ ) and a default one secured with OAuth2 (all routes which didn't match previous filter-chains):

    @Order(Ordered.HIGHEST_PRECEDENCE)
    @Bean
    SecurityFilterChain apiKeyFilterChain(HttpSecurity http) {
        http.securityMatcher(new AntPathRequestMatcher("/secured-with-api-key/**"));
        // more API key security conf
        return http.build();
    }

    @Bean
    SecurityFilterChain defaultFilterChain(HttpSecurity http) {
        http.oauth2ResourceServer().jwt();
        // resource-server security conf
        return http.build();
    }