0

I would like to use two different authentication methods at the same time. I have researched on the internet, but I couldn't find a solution that suits my need.

My requirements:

  • /auth/** and /public/** => Permit all for any authentication method, everybody can access these endpoints.
  • /api/** => All methods under this endpoint will be secured by JWT.
  • /orders/** => These endpoints will be secured by basic authentication.

My config file:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    @Configuration
    @Order(2)
    @AllArgsConstructor
    public static class JwtWebSecurityConfig extends WebSecurityConfigurerAdapter {

        private final UserService userService;
        private final JwtRequestFilter jwtRequestFilter;
        private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
        private final PasswordEncoder passwordEncoder;

        // Allows any request towards /auth/ and it's deratives and blocks any request
        // towards /api/. Requires Bearer tokens to authenticate
        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http
                .cors()
                    .and()
                .csrf().disable()
                .authorizeRequests()
                    .antMatchers("/auth/**", "/public/**").permitAll()
                    .antMatchers(HttpMethod.OPTIONS, "/api/**").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .exceptionHandling()
                    .authenticationEntryPoint(jwtAuthenticationEntryPoint)
                    .and()
                .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
            http
                .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
        }

        @Autowired
        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth
                .userDetailsService(userService)
                .passwordEncoder(passwordEncoder.bCryptPasswordEncoder());
        }

        @Bean
        @Override
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }
    }

    @Configuration
    @AllArgsConstructor
    @Order(1)
    public static class BasicAuth extends WebSecurityConfigurerAdapter {

        private final PasswordEncoder passwordEncoder;
        private final CustomBasicAuthenticationEntryPoint customBasicAuthenticationEntryPoint;

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth
                .inMemoryAuthentication()
                    .withUser("admin")
                        .password(passwordEncoder.bCryptPasswordEncoder().encode("user12345!"))
                        .roles("ADMIN");
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http
                .authorizeRequests()
                    .antMatchers("/auth/**").permitAll()
                    .antMatchers("/public/**").permitAll()
                    .antMatchers("/orders/**").hasRole("ADMIN")
                    .and()
                .httpBasic();
        }
    }
}

Which part of codes will need change?

dur
  • 15,689
  • 25
  • 79
  • 125
Oğuzhan Erçelik
  • 21
  • 3
  • 2
    any reason to why you are not using the built in JWT functionality of spring security? https://thomasandolf.medium.com/spring-security-jwts-getting-started-ebdb4e4f1dd1 – Toerktumlare Sep 28 '22 at 09:18
  • I didn't open this project, I just need add second security method as basic auth, so I don't want to change running code. – Oğuzhan Erçelik Sep 28 '22 at 09:20
  • So just because you didnt open the project is a legit reason to not use the built in JWT features of Spring Security? – Toerktumlare Sep 28 '22 at 11:00
  • I didn't know that there is a built in jwt feature in spring boot. I didn't google it. Also my problem is not that jwt is built in. I don't understand why you specifically asked this. What will change if I used built in JWT? – Oğuzhan Erçelik Sep 29 '22 at 09:52
  • Why i asked this is because if you would use the built in features i could most likely rule out that the JWT part of your code is not the problem.But now that you have a custom JWT solution it could be part of the problem since i have no idea what kind of custom solutions you have made up. Security is built on standards, and spring security follows these standards. I have no idea if you have followed the given standards out there with all edge cases covered. If you follow the spring security documentation i at least know what im dealing with. Now i have no idea – Toerktumlare Sep 29 '22 at 14:20

0 Answers0