33

I am trying to set up multiple WebsecurityConfigurerAdapter for my project where the spring boot actuator APIs are secured using basic auth and all other endpoints are authenticated using JWtAuthentication. I am just not able to make it work together, only the config with the lower order works. I am using Spring Boot 2.1.5.RELEASE

Security Config One with JWT Authenticator

@Order(1)
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private static final String[] AUTH_WHITELIST = {
        "/docs/**",
        "/csrf/**",
        "/webjars/**",
        "/**swagger**/**",
        "/swagger-resources",
        "/swagger-resources/**",
        "/v2/api-docs"
    };

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers(AUTH_WHITELIST).permitAll()
            .antMatchers("/abc/**", "/abc/pdf/**").hasAuthority("ABC")
            .antMatchers("/ddd/**").hasAuthority("DDD")
            .and()
            .csrf().disable()
            .oauth2ResourceServer().jwt().jwtAuthenticationConverter(new GrantedAuthoritiesExtractor());
   }
}

The basic Auth config with username/password

@Order(2)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

/*    @Bean
public UserDetailsService userDetailsService(final PasswordEncoder encoder) {
    final InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
    manager.createUser(
            User
                    .withUsername("user1")
                    .password(encoder.encode("password"))
                    .roles("ADMIN")
                    .build()
    );
    return manager;
}

@Bean PasswordEncoder encoder(){
    return new BCryptPasswordEncoder();
}*/

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/actuator/**").hasRole("ADMIN")
            .and()
            .httpBasic();
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication().withUser("user1").password("password").authorities("ADMIN");
  }
}

I have been trying to make it work for many days but cannot make both of them work together. If i swap the order, only basic auth works and not the JWT Auth Manager.

I have gone through a lot of SOF Questions, like

[https://stackoverflow.com/questions/40743780/spring-boot-security-multiple-websecurityconfigureradapter][1]

[https://stackoverflow.com/questions/52606720/issue-with-having-multiple-websecurityconfigureradapter-in-spring-boot][1]

[https://github.com/spring-projects/spring-security/issues/5593][1]

[https://www.baeldung.com/spring-security-multiple-entry-points][1]

Nothing seems to be working, is this a known issue in Spring?

Sastrija
  • 3,284
  • 6
  • 47
  • 64
Tatha
  • 1,253
  • 2
  • 24
  • 42
  • You need to inject the same authentication manager using AuthenticationManagerBuilder. See https://stackoverflow.com/questions/40258583/using-multiple-websecurityconfigureradapter-with-different-authenticationprovide – tksilicon Nov 27 '19 at 07:39
  • Just a note: @Order(2) doesn't work with @Configuration – amisiuryk Nov 09 '22 at 16:57

1 Answers1

27

To use multiple WebsecurityConfigurerAdapter, you need restrict them to specific URL patterns using RequestMatcher.

In your case you can set a higher priority for ActuatorSecurityConfig and limit it only to actuator endpoints: 

@Order(-1)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .requestMatchers().antMatchers("/actuator/**")
                .and()
                .authorizeRequests().anyRequest().hasRole("ADMIN")
                .and()
                .httpBasic();
    }
}
Anar Sultanov
  • 3,016
  • 2
  • 17
  • 27
  • Thanks @Anar Sultanov that solved the problem. While testing via POSTMAN I also had to disable SESSIONID. If SESSIONID is enabled, if one request is successfully authenticated, all subsequent requests are a success irrespective of passing wrong credentials – Tatha Dec 03 '19 at 15:55
  • Life saver, i would like pay you a beer. – Sérgio Thiago Mendonça Jun 01 '21 at 21:48
  • 1
    I used this solution, but I had to use `http.antMatcher("foo")` directly on the `HttpSecurity` object. This will create an additional `FilterChainProxy`, meaning a new set of filters to be applied, that only matches certain requests. – DanielF Jun 06 '21 at 21:39
  • @DanielF thanks for the comment, but I don't think that you "had to use" it. While `antMatcher(String)` also allows configuring the `HttpSecurity` to only be invoked when matching the provided ant pattern, `requestMatchers()` is better suited for more advanced configurations. – Anar Sultanov Jun 07 '21 at 09:27
  • 1
    `WebsecurityConfigurerAdapter` has been deprecated. – Renis1235 Aug 06 '22 at 18:29