0

For my SpringBoot project I configured Spring Security with a custom filter in order to authenticate the REST APIs.

Now I have two APIs sets and I need to have two different filters:

E.g. /api/** FilterA /admin/** FilterB

I tried to configure the Spring Security in this way:

//session management
http
        .anonymous().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .csrf().disable();

//filter
http
        .antMatcher("/api/**")
        .addFilterBefore(new FilterA(), AbstractPreAuthenticatedProcessingFilter.class)
        .authorizeRequests();

//filter
http
        .antMatcher("/admin/**")
        .addFilterBefore(new FilterB(), AbstractPreAuthenticatedProcessingFilter.class)
        .authorizeRequests()
        .anyRequest()
        .authenticated();

http
        .exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));

This not works fine: Filter B validate /api/** requests also. Is it possible to have this? How can I configure it in order to reach the goal?

Safari
  • 11,437
  • 24
  • 91
  • 191

1 Answers1

0

You can have a single filter injecting 2 different strategy classes, one implementing the strategy A and the other implementing strategy B.

Then the filter class will call the right strategy according to the request path.

public class SecurityFilter extends GenericFilterBean {
  @Autowired
  private SecurityStrategyA secA;

  @Autowired
  private SecurityStrategyB secB;

  @Override
  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest)req;
    HttpServletResponse response = (HttpServletResponse)res;

// Call the right security strategy by safely matching the path.  
// Like the pseudo code below
/*  
    if ( use request path to match "/api/") {
      secA.secure();
    }

    if ( use request path to match "/admin/") {
      secB.secure();
    }
*/

    chain.doFilter(request, response);
  }
}

Config class

@Configuration
@EnableWebSecurity(debug = false)
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

configure(){
//session management
http
        .anonymous().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .csrf().disable();

http
        .antMatcher("/api/**")
        .authorizeRequests();

http
        .antMatcher("/admin/**")
        .authorizeRequests()
        .anyRequest()
        .authenticated()
     .and()
       .addFilterAfter(securityFilter(), FilterSecurityInterceptor.class);

http
        .exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));

}

  @Autowired
  private SecurityStrategyA secA;

  @Autowired
  private SecurityStrategyB secB;

  public SecurityFilter securityFilter() {
    return new SecurityFilter(secA, secB);
  }
}
Mozart Brocchini
  • 352
  • 1
  • 3
  • 11