How to skip Path with Bearer token present in header in Spring Webflux Security

Question

I am running Spring-Cloud-Gateway and below is my configuration. The legacy API uses a different JWT token and new API will be using a UAA server. I am trying to skip legacy APIs with Authorization header and a Bearer token. But Still it is continuing to be decoded via JwtReactiveAuthenticationManager.

Can you please help me understand how to instruct Spring security to skip the path even if Auth header is present? Thanks

@EnableWebFluxSecurity
@Slf4j
public class GatewaySecurityConfig
{   
    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
    {
        http.httpBasic().disable()
            .csrf().disable()
            .formLogin().disable()
            .logout().disable();

        http.authorizeExchange().pathMatchers("/legacy/**").permitAll().anyExchange().authenticated()
        .and()
        .oauth2ResourceServer().jwt().jwtAuthenticationConverter(jwtAuthenticationConverter());
        return http.build();
    }
}

Samples

$ curl -X POST http://localhost/legacy/v1/orders -H 'authorization: Bearer <old JWT>' --> Fails with 401
$ curl -X POST http://localhost/legacy/v1/orders --> This one gets skipped and works as expected

Does this answer your question? [How to disable spring security for particular url](https://stackoverflow.com/questions/30366405/how-to-disable-spring-security-for-particular-url) — Toerktumlare, Feb 08 '21 at 09:19
@toerktumlare this solution is via web security. I'm looking for something on web flux security to over come the mentioned expectations. https://docs.spring.io/spring-security/site/docs/5.1.12.RELEASE/reference/html/webflux-oauth2.html#runtime-expectations-2 — Himalaya Gupta, Feb 08 '21 at 18:15
Your question is quite unclear. You want to skip legacy apis? What does that mean? Skip? You want to exclude some paths from your implemented oauth2 authentication? Please update your question with what you eant, what you have tried, current behaviour and expected behaviour. — Toerktumlare, Feb 08 '21 at 18:49

How to skip Path with Bearer token present in header in Spring Webflux Security

0 Answers0