1

I have developed a regular spring mvc application, and want to add some rest controller for developing mobile application. I have written rest controller, and multi spring security configurations.

Problem is, they are in precedence, hence both are loaded at once, and whole application breaks down.I want to use one based upon what type of request it is getting, for example, If I am requesting from Postman, Rest API security configuration should work and if we are using web, web security configuration should work.

Here is my implementation, I don't know how to achieve that, Please suggest what is the right way to doing this. As separating whole Thymeleaf and MVC controller , and moving altogether with Angular is not possible at this stage.

Please note that, we have all rest api defined in /v1/ap1/** and all other mvc part is in /**

Any comments, suggestions would be much appreciated, it is killing my days since 3 days. Thanks in advance

@Configuration
@EnableWebSecurity
public class SecurityConfig {
     // ... other codes
     @Configuration
     @Order(1)
     public static class RestAPISecurity extends WebSecurityConfigurerAdapter {
       //.. other codes
       protected void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("/api/signin/**").permitAll()
                .antMatchers("/api/v1/**").hasAnyAuthority("ADMIN", "USER")
                .antMatchers("/api/users/**").hasAuthority("ADMIN")
                .antMatchers("/api/v1/**").authenticated()
                .antMatchers("/login", "/logout", "/register", "/j_spring_security_check").permitAll()
                .anyRequest().authenticated()
                .and().exceptionHandling().authenticationEntryPoint(customAuthenticationEntryPoint).accessDeniedHandler(new CustomAccessDeniedHandler());
    }
// .. other codes
    @Configuration
    @Order(2)
    public static class MVCSecurityConfiguration extends WebSecurityConfigurerAdapter {
        //.. other codes
        // form login and other MVC stuffs
    }
}
Abhishek Soni
  • 563
  • 1
  • 6
  • 17

1 Answers1

1

You can add a request matcher for the first spring security filter chain and every thing else goes to second chain

    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatcher(httpServletRequest -> {
              String userAgent = httpServletRequest.getHeader("User-Agent");      
              //If you want to check based on content type
              String contentType = httpServletRequest.getContentType();

              return userAgent.contains("....")
              //check what value postman sends as user agent and use it
            })
            .sessionManagement()
            ....
    }
Kavithakaran Kanapathippillai
  • 7,883
  • 1
  • 11
  • 29
  • Thanks @Kavithakaran, this works for me, I am able to solve my issue, I was puzzled since 3 days, Thanks a lot. – Abhishek Soni Jul 09 '20 at 15:33
  • Please note, do not use this mechanism to keep one secured and other one unsecured. As anyone can add a header and get through. So make sure both configurations need authentication and authorisation – Kavithakaran Kanapathippillai Jul 09 '20 at 15:38
  • Yeah, sure I have implemented those things, I will post detailed solution. Internet is flooded with hello world sort of things. – Abhishek Soni Jul 09 '20 at 15:43