Spring Boot WebSecurityConfigurerAdapter: one configuration not being applied

Question

I'm trying to implement two different security configs (for admin and normal users). To achieve that, I have two classes that extend WebSecurityConfigurerAdapter - one for each user type.

My issue is that configuration for admin gets applied and works as expected with redirect to login page, but my other configuration doesn't seem to affect anything. Changing @Order annotation seems to not change anything. And logs show that on application deployment, both filters get applied to the chain.

My configuration classes:

@Configuration
@Order(1)
public class AdminConfigurationAdapter extends WebSecurityConfigurerAdapter {

  @Override
  public void configure(WebSecurity web) throws Exception {
    web
            .ignoring()
            .antMatchers("/images/**", "/css/**", "/js/**", "/webjars/**", "**/favicon.ico");
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/admin/login")
            .permitAll()

            .antMatchers("/admin/**")
            .hasRole("ADMIN")

            .and()
            .formLogin()
            .loginPage("/admin/login")
            .loginProcessingUrl("/admin/loginAction")
            //.failureUrl("/loginAdmin?error=loginError")
            .defaultSuccessUrl("/admin/dashboard", true)

            .and()
            .logout()
            .logoutUrl("/admin/logoutAction")
            //.logoutSuccessUrl("/protectedLinks")
            .deleteCookies("JSESSIONID")

            .and()
            .exceptionHandling()
            .accessDeniedPage("/403")

            .and()
            .csrf().disable();
  }

  @Override
  protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication()
            .withUser("admin").password(passwordEncoder().encode("admin")).roles("ADMIN");
  }

  @Bean
  public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
  }
}

Second class:

@Configuration
@Order(2)
public class GameConfigurationAdapter extends WebSecurityConfigurerAdapter {

  @Override
  public void configure(WebSecurity web) throws Exception {
    web
            .ignoring()
            .antMatchers("/images/**", "/css/**", "/js/**", "/webjars/**", "**/favicon.ico");
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/", "/game/login")
            .permitAll()

            .antMatchers("/game/**")
            .hasRole("USER")

            .and()
            .formLogin()
            .loginPage("/game/login")
            .loginProcessingUrl("/game/login")
            //.failureUrl("/game/login")
            .defaultSuccessUrl("/game/home", true)

            .and()
            .logout()
            .logoutUrl("/game/logout")
            //.logoutSuccessUrl("/")
            .deleteCookies("JSESSIONID")

            .and()
            .exceptionHandling()
            .accessDeniedPage("/403")

            .and()
            .csrf().disable();
  }
}

score 1 · Accepted Answer · answered Mar 06 '20 at 10:03

Somehow @Order annotation has affected my application. By reversing order of configurations it fixed my problems without changing anything else.

I'm still not sure how and why, but setting GameConfigurationAdapter @Order value to 1 and AdminConfigurationAdapter to 2 my filters got applied correctly.

score 0 · Answer 2 · answered Mar 06 '20 at 10:06

0

Perhaps it is because in the second configuration you are setting the route "/" and the requests may enter there.

Change this:

.antMatchers("/", "/game/login")

for:

.antMatchers("/game/login")

answered Mar 06 '20 at 10:06

KikeSP

103
1
9

I've tried that and it didn't change anything. Additionally my "/" mapping did some background logic and in most of the times redirected user to "game/login". But still I was able to access "game/join" before logging in. – Mar 06 '20 at 13:47

score 0 · Answer 3 · answered Mar 09 '20 at 11:25

I have another application with similar configuration, by I used antMatcher instead of antMatchers.. and works fine for all endpoints.

http
    .antMatcher("/game/login")
    .authorizeRequests()
    .antMatchers("/game/**").hasRole("USER")
.and()
    .formLogin()
    ...

The only difference, that I have 3 configurations: /admin/login , /game/login, /others

Multiple HttpSecurity Config: when-to-use-spring-securitys-antmatcher
Mutiple Security: Multiple security
AntMatcher vs AntMatchers

Spring Boot WebSecurityConfigurerAdapter: one configuration not being applied

3 Answers3