I have implemented several security configurations, the first one I need basic auth under the endpoint (test1).
@Configuration
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AdminServiceImpl adminService;
@Autowired
private DataSource dataSource;
@Value("/api/${smartwatcher.api-prefix}")
private String apiPrefix;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, apiPrefix + "/test1").authenticated()
.and()
.httpBasic();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(adminService)
.passwordEncoder(new BCryptPasswordEncoder());
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(adminService)
.passwordEncoder(new BCryptPasswordEncoder());
Second one, endpoints are accesible after auth with session token. Join together, second config does not work properly, it looks like a authentication issue. Alone, working perfect. Any idea?
@Configuration
@Order(2)
public static class AdminSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AdminService adminService;
@Value("/api/${smartwatcher.api-prefix}")
private String apiPrefix;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers(apiPrefix + "/test2", apiPrefix + "/test3")
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.httpBasic().disable()
.csrf().disable()
.addFilterBefore(new AdminSessionTokenFilter(adminService), BasicAuthenticationFilter.class)
.authorizeRequests()
.antMatchers(HttpMethod.POST, apiPrefix + "/test2").authenticated()
.antMatchers(HttpMethod.DELETE, apiPrefix + "/test3").authenticated()
.anyRequest().denyAll();
}
}