0

A Spring Boot application provides some REST endpoints with different authentication mechanisms. I'm trying to setup the security configuration according to the following requirements:

  1. By default, all endpoints shall be "restricted", that is, if any endpoint is hit for which no specific rule exists, then it must be forbidden.
  2. All endpoints starting with /services/** shall be secured with a JWT token.
  3. All endpoints starting with /api/** shall be secured with HTTP basic authentication.
  4. Any endpoint defined in a RESOURCE_WHITELIST shall be public, that is, they are accessible without any authentication. Even if rules #2 or #3 would apply.

This is what I came up with so far but it does not match the above requirements. Could you help me with this?

@Configuration
@RequiredArgsConstructor
public static class ApiSecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static final String[] RESOURCE_WHITELIST = {
            "/services/login",
            "/services/reset-password",         
            "/metrics",
            "/api/notification"
    };

    private final JwtRequestFilter jwtRequestFilter;

    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("some-username")
                .password(passwordEncoder().encode("some-api-password"))
                .roles("api-role");
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .cors()
                .and()
                .csrf().disable()
                .formLogin().disable()
                // apply JWT authentication
                .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
                .authorizeRequests()
                .mvcMatchers(RESOURCE_WHITELIST).permitAll()
                .mvcMatchers("/services/**").authenticated()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                // apply HTTP Basic Authentication
                .and()
                .authorizeRequests()
                .mvcMatchers("/api/**")
                .hasRole(API_USER_ROLE)
                .and()
                .httpBasic()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}
Robert Strauch
  • 12,055
  • 24
  • 120
  • 192
  • 1
    Did you try creating separate security configurations? https://stackoverflow.com/questions/59058596/multiple-websecurityconfigureradapter-in-spring-boot-for-multiple-patterns – Rana_S Nov 13 '21 at 02:09
  • Does this answer your question? [Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns](https://stackoverflow.com/questions/59058596/multiple-websecurityconfigureradapter-in-spring-boot-for-multiple-patterns) – Eleftheria Stein-Kousathana Nov 17 '21 at 15:02

0 Answers0