1

After upgrading some of the APIs into version 2, I have to configure a custom filter on authentication failures to give newly formatted error responses to the user. I have encountered a problem there since the version 2 urls also follow the same url pattern which the existing filter has been configured for.

Previously, I have added following configuration to authenticate protected url patterns. 

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable() 
        .exceptionHandling()
            .authenticationEntryPoint(this.authenticationEntryPoint)    
            .and()      
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
        .authorizeRequests()
            .antMatchers("/*/login").permitAll() 
            .antMatchers(HttpMethod.OPTIONS).permitAll()
            .antMatchers("/auth/refresh-token").permitAll() 
            .antMatchers("/auth/external/login").permitAll()
            .and()
        .authorizeRequests()
            .antMatchers("/api/**").authenticated()// Protected API End-points
            .and()
        .addFilterBefore(buildLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
        .addFilterBefore(buildProgrmmaticAuthProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
        .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class);
}

As you can see, urls start with /api/** are configured to be authenticated and filtered using the filters added.

Now the problem is, version 2 urls also start with /api. But I need to configure a different filter something like given below.

http
    .exceptionHandling().authenticationEntryPoint(this.authenticationEntryPoint)

    .and().authorizeRequests()
    .antMatchers("/api/something/v2/**").authenticated().and().
    addFilterBefore(buildJwtAuthProcessingFilterForVersionTwo(), UsernamePasswordAuthenticationFilter.class);

Since the urls start with api/ have already been caught by first configuration , the new configuration doesn't count.

Is there any way that I can add a url pattern to FIRST configuration which takes urls start with /api into the consideration, but excludes the urls like /api/**/v2/** ?

vigamage
  • 1,975
  • 7
  • 48
  • 74

0 Answers0