Spring Boot: Authenticating both a Stateless REST API and a Stateful "Login" Web Controller in the same project?

Question

So I have an application that contains a REST API which is used by a custom java application on an IOT device with no user interaction.And I also have a web app which needs a stateful session for maintaining user login.

Is it possible to use Spring Security to authenticate requests to my API and web controller differently?What form of authentication should I be using for the REST API?

You want access to same Rest url in **stateful** and **stateless** manner. Or are you talking about having both **stateful** and **stateless** coexist, each for different set of urls? — tryingToLearn, Feb 21 '18 at 11:11
If you want to have both stateful and stateless coexist, each for different set of urls, look at my answer below. — tryingToLearn, Feb 21 '18 at 11:21

tryingToLearn · Accepted Answer · 2018-02-22T03:21:01.003

One way to achieve what you are looking for is to have 2 configurations in your spring security. E.g.

Pay attention to antMatcher (matcher not matchers). The antMatcher will control on what set of url your entire config applies i.e. FormLoginWebSecurityConfigurerAdapter in below example will apply only to uri matching /api/test/**. Of course, you can define the antMatcher only in one of the configs say config1 and the other config in that case will be a catch all (i.e catch everything that does not match config1)

@EnableWebSecurity
@Configuration
public class SecurityConfig {


    @Configuration
    @Order(1)                                                        
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Override       
        public void configure(AuthenticationManagerBuilder auth) 
          throws Exception {            
            auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");
            auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
        }

        protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

            http
                .antMatcher("/api/v1/**")                               
                .authorizeRequests()
                .antMatchers("/api/v1/**").authenticated()
                    .and()
                .httpBasic();
        }
    }

    @Configuration
    @Order(2)
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Override       
        public void configure(AuthenticationManagerBuilder auth) 
          throws Exception {

            auth.inMemoryAuthentication().withUser("user1").password("user").roles("USER");
            auth.inMemoryAuthentication().withUser("admin1").password("admin").roles("ADMIN");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED); // CONFIGURE TYPE OF SESSION POLICY
            http
                .antMatcher("/api/test/**")
                .authorizeRequests()
                .antMatchers("/api/test/**").authenticated()
                    .and()
                .formLogin();
        }
    }
}

Spring Boot: Authenticating both a Stateless REST API and a Stateful "Login" Web Controller in the same project?

1 Answers1

Linked