I'm having 2 classes which extends WebSecurityConfigurerAdapter
. And can't make them work together.
The idea is as follows:
- Have one
WebSecurityConfigurerAdapter
which only adds custom filter to security chain. The filter does some custom authentication and savesAuthentication
intoSecurityContext
. This generally works fine. Configured as follows (imports omitted):
@Order(1)
@Configuration
@EnableWebMvcSecurity
public class BestSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private BestPreAuthenticationFilter ssoAuthenticationFilter;
@Bean
protected FilterRegistrationBean getSSOAuthenticationFilter() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(ssoAuthenticationFilter);
// Avoid include to the default chain
filterRegistrationBean.setEnabled(false);
return filterRegistrationBean;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterAfter(ssoAuthenticationFilter, SecurityContextPersistenceFilter.class);
}
@Configuration
protected static class AuthenticationConfiguration extends
GlobalAuthenticationConfigurerAdapter {
@Autowired
private BestAuthenticationProvider authenticationProvider;
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
}
}
- I want the above to be kind of library class which anyone can include via
@ComponentScan
and get the custom authentication sorted. Obviously they want to provide customHttpSecurity
to secure edpoints. Trying something like:
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/testUrl").hasRole("NON_EXISTING")
.anyRequest().authenticated();
}
}
Obviously the test URL should not be accessible as my user is not member of role NON_EXISTING
. Unfortunatelly she is.
If I move the security authorizeRequests()
part to the configuration class form 1. next to adding the security filter then it blocks the access as expected. But in my case it looks like the second configuration is ignored.
I also debugged the configure()
methods and noticed that HttpSecurity
is not the same object which smells a bit.
Any tips how can I make this work much appreciated.
Sum up of the goal:
- have one
WebSecurityConfigurerAdapter
which adds the filter and is hidden from the user of the library - let the user define her own custom endpoint security
Spring boot 1.1.6-RELEASE
Best Answer
Define a special interface
Then have just one ConfigurerAdapter:
and then just implement ServiceWebSecurityConfigurer elsewhere when needed. There can be multiple implementations as well, just autowire them as list and iterate and use them all in your main configuration.