Hello I'm trying to build a spring boot app that works both as a web app and a restful api. I'm using spring security and multiple http configurations to secure both purposes but the problem is that only configuration with order(1) annotation works. Separately both configurations work fine but when together only the first one works correctly. I have tried every solution from similar questions but nothing works for me. I would be really glad if someone has any suggestions!
Here are my configurations:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class TestSecurity {
@Configuration
@Order(1)
public static class RestWebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
@Autowired
public UserDetailsService jwtUserDetailsService;
@Autowired
public JwtRequestFilter jwtRequestFilter;
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public static PasswordEncoder passwordEncoder() {
PasswordEncoder encoder = new BCryptPasswordEncoder();
return encoder;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
// configure AuthenticationManager so that it knows from where to load
// user for matching credentials
// Use BCryptPasswordEncoder
auth.userDetailsService(jwtUserDetailsService).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
// dont authenticate this particular request
.authorizeRequests()
.antMatchers("/authenticate").permitAll()
.antMatchers("/api/**").hasAnyRole("ADMIN", "SUPERVISOR", "PDEMPLOYEE", "EMPLOYEE")
// all other requests need to be authenticated
.anyRequest().authenticated().and().
// make sure we use stateless session; session won't be used to
// store user's state.
exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Add a filter to validate the tokens with every request
http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
}
@Configuration
@Order(2)
public static class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public DataSource dataSource;
@Bean
public static PasswordEncoder passwordEncoder() {
PasswordEncoder encoder = new BCryptPasswordEncoder();
return encoder;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().dataSource(dataSource).passwordEncoder(passwordEncoder())
.usersByUsernameQuery("select username,password, enabled from user where username=?")
.authoritiesByUsernameQuery("select username, authority from authorities where username=?");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().formLogin().defaultSuccessUrl("/index").permitAll().and().authorizeRequests()
.antMatchers("/actuator/**", "/swagger-ui/**").permitAll()
.antMatchers("/index/**")
.hasAnyRole("ADMIN", "MANAGER", "SUPERVISOR", "PDEMPLOYEE").anyRequest().authenticated().and()
.logout().permitAll();
}
}
}
