?
Solved

Spring Boot Security, adding filters to different routes

Posted on 2016-08-08
2
Medium Priority
?
641 Views
Last Modified: 2016-08-08
I'm trying to put together a single application that contains both an API and an Admin interface using Spring Boot.

The idea is that all API endpoints will be accessible via domain.com/api/ and the admin interface under domain.com/admin/

The Admin interface and the API need different types of authentication, so somehow in the spring security configuration I need to define a filter for routes starting with /api/ and define another route to be called for routes starting /admin/

This is my security config class, which I thought might work, but it doesn't.

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    AuthenticationFilter authenticationFilter;

    @Autowired
    AdminAuthenticationFilter adminAuthenticationFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()

                // Allow anonymous visitors to auth controller methods
                .antMatchers("/admin/auth/**").permitAll()

                .antMatchers("/admin/**").authenticated().addFilterBefore(adminAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
                .antMatchers("/api/**").authenticated().addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter.class)

                // All other request need to be authenticated
                .anyRequest().authenticated();

        http.exceptionHandling().accessDeniedPage("/auth/403");
    }

}

Open in new window

0
Comment
Question by:SheppardDigital
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 

Accepted Solution

by:
SheppardDigital earned 0 total points
ID: 41747175
I managed to resolve this myself.

http.authorizeRequests().antMatchers("/admin/auth/**").permitAll();
        http.authorizeRequests().antMatchers("/admin/**").authenticated().and().addFilterBefore(adminAuthFilter, UsernamePasswordAuthenticationFilter.class);

        http.authorizeRequests().antMatchers("/api/auth/**").permitAll();
        http.authorizeRequests().antMatchers("/api/**").authenticated().and().addFilterBefore(apiAuthFilter, UsernamePasswordAuthenticationFilter.class);

Open in new window

0
 

Author Closing Comment

by:SheppardDigital
ID: 41747176
Self resolved
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
Introduction This article is the second of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers the basic installation and configuration of the test automation tools used by…
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question