Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding FrameWork Spring Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns

Thread Rating:
  • 462 Vote(s) - 3.47 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns

Offline henware257370


Member
*
Member
Posts: 1
Threads: 1
Joined: Mar 2022
Reputation: 0
Level: 1 [Level]
Total Points: 0
Rank 0 / 1
99% to upload Level
Rank
Activity 0 / 1
99% to upload your Rank
Activity
Experience 1
99% to upload Experience
Experience

Points: 50
#1
08-02-2023, 07:21 AM
I am trying to set up multiple WebsecurityConfigurerAdapter for my project where the spring boot actuator APIs are secured using basic auth and all other endpoints are authenticated using JWtAuthentication. I am just not able to make it work together, only the config with the lower order works. I am using Spring Boot 2.1.5.RELEASE

Security Config One with JWT Authenticator

@Order(1)
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final String[] AUTH_WHITELIST = {
"/docs/**",
"/csrf/**",
"/webjars/**",
"/**swagger**/**",
"/swagger-resources",
"/swagger-resources/**",
"/v2/api-docs"
};

@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(AUTH_WHITELIST).permitAll()
.antMatchers("/abc/**", "/abc/pdf/**").hasAuthority("ABC")
.antMatchers("/ddd/**").hasAuthority("DDD")
.and()
.csrf().disable()
.oauth2ResourceServer().jwt().jwtAuthenticationConverter(new GrantedAuthoritiesExtractor());
}
}


The basic Auth config with username/password

@Order(2)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

/* @Bean
public UserDetailsService userDetailsService(final PasswordEncoder encoder) {
final InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(
User
.withUsername("user1")
.password(encoder.encode("password"))
.roles("ADMIN")
.build()
);
return manager;
}

@Bean PasswordEncoder encoder(){
return new BCryptPasswordEncoder();
}*/

@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/actuator/**").hasRole("ADMIN")
.and()
.httpBasic();
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user1").password("password").authorities("ADMIN");
}
}

I have been trying to make it work for many days but cannot make both of them work together. If i swap the order, only basic auth works and not the JWT Auth Manager.

I have gone through a lot of SOF Questions, like

[

[To see links please register here]

][1]

[

[To see links please register here]

][1]


[

[To see links please register here]

][1]

[

[To see links please register here]

][1]

Nothing seems to be working, is this a known issue in Spring?

Reply

Offline flashingsldnxypvhpx


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Mar 2019
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
08-02-2023, 07:54 AM
To use multiple `WebsecurityConfigurerAdapter`, you need restrict them to specific URL patterns using [`RequestMatcher`][1].

In your case you can set a higher priority for `ActuatorSecurityConfig` and limit it only to actuator endpoints:


@Order(-1)
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers().antMatchers("/actuator/**")
.and()
.authorizeRequests().anyRequest().hasRole("ADMIN")
.and()
.httpBasic();
}
}


[1]:

[To see links please register here]

Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through