I have an application that validates an authentication token to access your endpoints. It is important to note that I do not have a user's logged in. This validation is made as follows:
I get the token and I call an REST API that tells me if that token is valid or not (this validation is made through a filter through which all the requests I receive pass).
But now I have to do another validation besides that. I need to decrypt the token to pick up a set of roles and see if for certain endpoints the rule validates. Initially I thought about using @Secured but I noticed that without a log in he cannot know where the roles come from that he should validate. So I thought I'd create a filter that would only be used on a few endpoints and validate the permissive role. Something like this:
http
.authorizeRequests(r ->
r
.antMatchers("/isAlive**").permitAll()
.antMatchers("/users").permitAll()
.and()
.addFilterBefore(new RoleFilter(), UsernamePasswordAuthenticationFilter.class)
.antMatchers("/cars").permitAll()
.and()
.addFilterBefore(new RoleFilter(), UsernamePasswordAuthenticationFilter.class)
.anyRequest().permitAll()
.and()
.addFilterBefore(new AuthorizationFilter(), UsernamePasswordAuthenticationFilter.class))
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
As you can see the AuthorizationFilter is the filter that must be done by all endpoints except /isAlive. It validates whether the token is valid.
And RoleFilter should be used only on some endpoints to validate whether that token has the specific role that I need. But that doesn't work. It does not accept this structure with two filters. Any solution?
