2

I have a requirement where all of the calls are authenticated with JWT/Filters but now I want that all the calls having /restexternal/ should bypass jwt authentication and should go with basic authentication. Is it possible to have 2 web security configurer or something? How we can achieve this?

I am able to exclude specific url from JWT authentication but how can I ask spring to go for basic auth? TIA

Roobal Jindal
  • 214
  • 2
  • 13

3 Answers3

2

Spring Security supports multiple authentication also. You can refer here

You can refer this for different authentication for different APIs address: spring-multiple-authentication-methods-for-different-api-endpoints

  • I am not looking for different type of authentication implementations. I want to merge JWT and Basic auth. Thats different that having multiple authproviders. – Roobal Jindal Dec 19 '19 at 10:39
  • Please look at this, if this also not meet your requirement, let me know: https://stackoverflow.com/questions/54706291/spring-multiple-authentication-methods-for-different-api-endpoints –  Dec 19 '19 at 10:45
  • If I mention two configurers with @Order(1) and @Order(2), will both be executed? and in which order? Means I have to mention my basic auth url in @Order(1) and jwt urls in @Order(2) ? Will both work? – Roobal Jindal Dec 19 '19 at 11:04
  • yes, first it go to @Order(1) and if API need to be authenticated, it will try to authenticate it otherwise pass to @Order(2). if authentication by @Order(1) fails, it try to authenticate by @Order(2). –  Dec 19 '19 at 12:20
  • @RoobalJindal, is it resolved ? –  Dec 26 '19 at 04:09
  • Well, it didnt work but yeah, I did something else. I am using GKE cluster (Kubernetes) so I applied basic authentication of Ingress rule. Thanks :) – Roobal Jindal Dec 27 '19 at 10:57
1

Yes, you can have multiple filters in your apps. 

 @SpringBootApplication
 public class SpringBootJwtApplication {

 @Bean
 public FilterRegistrationBean jwtFilter() {
    final FilterRegistrationBean registrationBean = new FilterRegistrationBean();
    registrationBean.setFilter(new JwtFilter());
    registrationBean.addUrlPatterns("/secure/*");


    registrationBean.setFilter(new BasicAuth());
    registrationBean.addUrlPatterns("/restexternal/*");
    return registrationBean;
}

public static void main(String[] args) {
    SpringApplication.run(SpringBootJwtApplication.class, args);
}

Where Urls having path secure will be filtered by JwtFilter and restexternal by BasicAuth.

manikant gautam
  • 3,521
  • 1
  • 17
  • 27
  • We are implementing ResourceServerConfigurerAdapter and overriding its configure() for adding JWT filter. How can we add Basic auth there for our specif url? Do you have any blog link? – Roobal Jindal Dec 19 '19 at 10:28
-1

We can't do both at the same time. i had a scenario where i had to use basic auth for one of my project and JWT for another one and both packages were in single project with different endpoint.

If you will put both authentication together, JWT will always be called not the basic authentication.

GauravRai1512
  • 834
  • 6
  • 14
  • I am also facing same issue. – Roobal Jindal Dec 19 '19 at 10:40
  • We can do this using 2 authorization provider and endpoints.. : https://stackoverflow.com/questions/54706291/spring-multiple-authentication-methods-for-different-api-endpoints –  Dec 19 '19 at 10:47