Spring REST security - Secure different URLs differently

Question

I have working REST API under Spring 4 using Basic authentication. These REST services are under /api/v1/** URL. However, I want to add another set of REST endpoints under different url /api/v2/**, but protected with token-based authentication.

Is it possible to do this with one servlet ? How to configure Spring Security to use different forms of authentication for different URLs ?

Thank you.

You should be able to have more than just one entry-point in your spring security applicationContext where you can specify your intercept url patterns. — Martin Hansen, Oct 09 '15 at 12:03
You mean more protected void configure(HttpSecurity http) methods, each for every URL pattern ? Can you give me an example of what you mean, please ? Thank you. — , Oct 09 '15 at 12:04
I have only worked with xml based setup of spring security, and from my knowledge its possible to have setup multiple tags, with different entry-points and its own set of intercept-urls. I could try putting something basic together if you want. — Martin Hansen, Oct 09 '15 at 12:07
Of course, I'd like to. IT doesn't matter, I will probably be able to translate it into programmatic configuration. Thank you. — , Oct 09 '15 at 12:41
It seems like, at least from spring-security 3.x that duplicate http elements is not allowed. I was sure i'd seen something like that once, must have been something from an older version i guess. I am sorry i was unable to help — Martin Hansen, Oct 09 '15 at 12:47
Please check this link http://stackoverflow.com/questions/4783063/configuring-spring-security-3-x-to-have-multiple-entry-points You can configure multiple entry points for your application. — Vikas Sharma, Oct 09 '15 at 12:51

score 31 · Accepted Answer · answered Oct 09 '15 at 13:38

Here's a code sample in Java config that uses UserDetailsService and has different security configurations for different URL endpoints:

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    UserDetailsService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
    }

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .antMatcher("/api/v1/**")
                    .httpBasic()
                        .realmName("API")
                        .and()
                    .csrf().disable()
                    .authorizeRequests()
                    .antMatchers("/api/v1/**").authenticated();
        }
    }

    @Configuration
    @Order(2)
    public static class ApiTokenSecurityConfig extends WebSecurityConfigurerAdapter{

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .antMatcher("/api/v2/**")
                    /* other config options go here... */
        }

    }
}

My use case is little different. Is it possible to configure `/api/**` to use basic authentication and remaining application to use form login? — zendu, Nov 15 '17 at 05:53
Yes. Use `http.antMatcher("/api/**")` in the first line of API security config and `http.requestMatcher(new NegatedRequestMatcher(new AntPathRequestMatcher("/api/**")))` in config for the rest of the application. — Krešimir Nesek, Nov 15 '17 at 09:49
What if I want to user different userDetailsService for each end-point? — Bilal Ahmed Yaseen, Aug 28 '19 at 07:15

Spring REST security - Secure different URLs differently

1 Answers1

Linked