I also have two separate paths to secure so each one has its own config.
My config: (the same for path-a & path-b)
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true)
@Order(2)
public class CandidateConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/path-a/**").authorizeRequests()
.antMatchers("/", LANDING_PAGE, "/path-a/login").permitAll()
.antMatchers("/path-a/**").hasRole(ROLE-A)
.and().formLogin().loginPage("/path-a/login").permitAll()
.and().logout().permitAll()
.and().rememberMe()
.and().csrf().disable();
I also have global method security enabled, and methods that are not on "path-a"or "path-b" are annotated with @RolesAllowed("ROLE-A") the security part works well - only when authenticated will the methods work.
The only problem is that when the path is not identified - the spring security filters are not running , only the method security interceptor is. When there is no authentication - the RememberMe filter did not run to check the cookie and now I get access denied.
How can I make the global method security paths to run the remember me filter?