How can I create two http security configurations using java config?

In the XML config, I could create the following:

<security:http pattern="/api/**"
               create-session="never"
               use-expressions="true">
  <security:http-basic entry-point-ref="xBasicAuthenticationEntryPoint"/>
  <security:session-management />
  <security:intercept-url pattern="/tests/**" access="isAuthenticated()"/>
  <security:intercept-url pattern="/api/**" access="isAuthenticated()"/>
</security:http>

<security:http auto-config="true" use-expressions="true" realm="ACME">
  <security:intercept-url pattern="/favicon.ico" access="permitAll" />
  <security:intercept-url pattern="/static/**" access="permitAll"/>
  <security:intercept-url pattern="/error/**" access="permitAll" />
  <security:intercept-url pattern="/" access="permitAll"/>
  <security:intercept-url pattern="/login" access="permitAll"/>
  <security:intercept-url pattern="/logout" access="isAuthenticated()"/>
  <security:form-login login-page='/login'
                       authentication-failure-url="/login?error"/>
  <security:logout logout-url="/logout" logout-success-url="/"/>
</security:http>

      

This will prevent all calls /api/**

from trying to authenticate the user if there is no session.

How do I create the same configuration with Java based configuration?

My method WebSecurityConfigurerAdapter#configure(HttpSecurity)

looks like this:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.addFilter(switchUserFilter())
        .authorizeRequests()
        .antMatchers("/").permitAll()
        .antMatchers("/static/**").permitAll()
        .anyRequest().authenticated()
        .and().formLogin()
              .loginPage("/login")
              .permitAll()
              .defaultSuccessUrl("/")
        .and().logout()
              .logoutUrl("/logout")
              .logoutSuccessUrl("/");
}

      

+3


source to share


1 answer


The good thing is that this is explicitly stated in the Spring Security Reference Manual, you put so many @Configuration

annotated annotated inner classes @Order()

to indicate which ones are considered first. In your example, it might look like this:



@Order(1)
@Configuration
private static class ApiSecurityConfigurationAdapter
        extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/api/**")
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
            .and.httpBasic().authenticationEntryPoint(xBasicAuthenticationEntryPoint)
            .and.authorizeRequests()
                .anyRequest().authenticated();
    }
}

@Configuration
private static class NormalSecurityConfigurationAdapter
        extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilter(switchUserFilter())
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/static/**").permitAll()
            .anyRequest().authenticated()
            .and().formLogin()
                  .loginPage("/login")
                  .permitAll()
                  .defaultSuccessUrl("/")
            .and().logout()
                  .logoutUrl("/logout")
                  .logoutSuccessUrl("/");
    }
}

      

+5


source







All Articles