Geek Answers Handbook

Spring Security: multiple HTTP configurations do not work

I'm trying to use Spring Security, and I have a use case where I want different login pages and a different set of URLs to be protected.

Here is my configuration:

@Configuration @Order(1) public static class ProviderSecurity extends WebSecurityConfigurerAdapter{ @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home").permitAll() .antMatchers("/admin/login").permitAll() .antMatchers("/admin/**").access("hasRole('BASE_USER')") .and() .formLogin() .loginPage("/admin/login").permitAll() .defaultSuccessUrl("/admin/home") .failureUrl("/admin/login?error=true").permitAll() .usernameParameter("username") .passwordParameter("password") .and() .csrf() .and() .exceptionHandling().accessDeniedPage("/Access_Denied"); } } @Configuration @Order(2) public static class ConsumerSecurity extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/consumer/login").permitAll() .antMatchers("/consumer/**").access("hasRole('BASE_USER')") .anyRequest().authenticated() .and() .formLogin() .loginPage("/consumer/login").permitAll() .defaultSuccessUrl("/consumer/home") .failureUrl("/consumer/login?error=true").permitAll() .usernameParameter("username") .passwordParameter("password") .and().csrf() .and() .exceptionHandling().accessDeniedPage("/Access_Denied"); } }

These classes are inner classes of another MultipleHttpSecurityConfig class, which has the @EnableWebSecurity annotation.

Security for admin/** working fine, but none of the consumer/** pages is secure, redirection does not occur for the login page. I was looking for other answers, but no one worked.

+6
source share
2 answers

Check out the Spring Security Reference :

 @EnableWebSecurity public class MultiHttpSecurityConfig { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { 1 auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER").and() .withUser("admin").password("password").roles("USER", "ADMIN"); } @Configuration @Order(1) 2 public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/api/**") 3 .authorizeRequests() .anyRequest().hasRole("ADMIN") .and() .httpBasic(); } } @Configuration 4 public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .anyRequest().authenticated() .and() .formLogin(); } } }

1 Set up authentication as usual

2 Create an instance of WebSecurityConfigurerAdapter containing @Order to indicate which WebSecurityConfigurerAdapter should be considered the first.

3 http.antMatcher states that this HttpSecurity only applies to URLs starting with /api/

4 Create another instance of WebSecurityConfigurerAdapter . If the URL does not start with /api/ , this configuration will be used. This configuration is considered after the ApiWebSecurityConfigurationAdapter , since it has a value of @Order after 1 (no @Order by default).

The second configuration is not used because your first configuration matches /** . And your first configuration limits only /admin/** .

+8
source

Your first WebSecurityConfigurerAdapter

 http .authorizeRequests()

matches all URLs, restricts it to only URLs starting with /admin using antMatcher :

 @Configuration @Order(1) public static class ProviderSecurity extends WebSecurityConfigurerAdapter{ @Override protected void configure(HttpSecurity http) throws Exception { http .antMatcher("/admin/**") .authorizeRequests() .antMatchers("/admin/login").permitAll() .antMatchers("/admin/**").access("hasRole('BASE_USER')") .and() ...
+8
source

More articles:


All Articles