I want to run a Vaadin 23 frontend but also have a REST API in my application. I want to use Token-Based (JWT) authentication for the REST API and Standard form-based for the frontend. I have tested a lot of different configurations from examples in the Spring Security documentation and around the internet. The only configuration where both options get called upon initialization is this one:
@EnableWebSecurity
public class SecurityConfiguration extends VaadinWebSecurity {
// ... other stuff here ...
@Bean
@Order(1)
public SecurityFilterChain restFilterChain(HttpSecurity http) throws Exception {
return http
.cors().and().csrf().disable()
.authorizeRequests().antMatchers("/api/login").anonymous().and()
.authorizeRequests().antMatchers("/api/**").authenticated().and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.addFilterBefore(authTokenFilter(), UsernamePasswordAuthenticationFilter.class)
.build();
}
@Bean
@Order(2)
public SecurityFilterChain frontendFilterChain(HttpSecurity http) throws Exception {
super.configure(http);
setLoginView(http, LoginView.class, LOGOUT_URL);
return http.build();
}
}
Both configuration blocks work, I have tried with either one being @Order(1) and the other being @Order(2). The configuration that gets @Order(1) is called on login and authentication works. But there is no fallback to @Order(2) regardless of how the other attempt ends (with .denyAll() or just "nothing"). What am I missing here?
Spring Version: 5.3.22
Spring Security Version: 5.7.3
