Multiple Entry Points in SpringSecurity is not working

Question

I've got 2 configuration in my app. First one is

@Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .csrf().disable().cors()
                    .and()
                    .authorizeRequests()
                    .antMatchers("/api/project/projectIds", "/api/project/**/involvement")
                    .permitAll()
                    .and()
                    .addFilter(new JwtAuthorizationFilter(authenticationManager(), secret, clientId, tokenVerificationUrl))
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }

It's with annotation @Order(1)

Second one hase @Order(2) and it's like:

 http
                        .addFilterBefore(new RedirectUrlFilter(projectDomainPath), OAuth2LoginAuthenticationFilter.class)
                        .csrf().disable().cors()
                        .and()
                        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                        .and()
                        .authorizeRequests().antMatchers("/static/**", "/logout").permitAll()
                        .anyRequest().authenticated()
                        .and()
                        .addFilter(new JwtAuthorizationFilter(authenticationManager(), secret, clientId, tokenVerificationUrl))
                        .logout()
                        .logoutUrl("/logout")
                        .invalidateHttpSession(true)
                        .clearAuthentication(true)
                        .logoutSuccessUrl("/")
                        .deleteCookies("JSESSIONID")
                        .and()
                        .oauth2Login()
                        .loginPage(DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/" + realm);

The problem is even if I go to for example login page I'm still stuck in the first one. The program never uses the second one. I thought that antMatchers in 1 configuration will ensure that only that 2 specified APIS will use these configurations and the rest of them would go to configuration number 2. What have I done wrong?

EDIT after reading the suggested answer, I've changed my configuration to

 http
                    .csrf().disable().cors()
                    .and()
                    .antMatcher("/api/project/**")
                        .authorizeRequests()
                            .antMatchers("/api/project/projectIds", "/api/project/**/involvement").permitAll()
                            .and()
                            .addFilter(new JwtAuthorizationFilter(authenticationManager(), secret, clientId, tokenVerificationUrl))
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

and now it is almost fine. The problem is in /api/project I have more APIs than these 2, so I would like to go to the second configuration if api/project/.... is neither /api/project/projectIds nor /api/project/**/involvement.

I don't think so, because I've got the Order set. but still if I go to API /api/login I;m stuck in 1 configuration. From what I've read it may be the problem of autorizeRequests().antMatchers() and in the link You;ve sent it says it should be rather antMatcher(uri).authorizeRequest() but then how can I ensure 2 uris ? antMatcher can only take one — mario, Sep 03 '20 at 08:12
so the correct configuration would be http .csrf().disable().cors() .and() .antMatcher("/api/project/projectIds") .antMatcher("/api/project/**/involvement") .addFilter(new JwtAuthorizationFilter(authenticationManager(), secret, clientId, tokenVerificationUrl)) .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); ? — mario, Sep 03 '20 at 08:15
and when I did as mentioned before now I'm only going into 2 configuration, even If I try to use postman on /api/project/projecdIds ... — mario, Sep 03 '20 at 08:27
You already understand, that your two configurations need different `antMatcher` (without `s`). To use it with different pattern, you could use [`requestMatchers`](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/builders/HttpSecurity.html#requestMatchers--) instead of `antMatcher`. — dur, Sep 03 '20 at 10:33

Multiple Entry Points in SpringSecurity is not working

0 Answers0