0

I have a spring boot 3 application with spring security 6. I am having a hard time to understand how security filters work. I have for the moment 3 exposed endpoint /endpoint1, /endpoint2 and /endpoint3. I also have 2 filters Filter1.java and Filter2.java. I want to configure my Security in a way that Filter1 only gets triggered when /endpoint1 is called, Filter2 only when /endpoint2 gets called, and for /endpoint3 no filter at all.

The outcome I am getting is that both filters are getting triggered when calling any of the endpoints.

This is my SecurityFilterChain configure method:

@Bean
    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
        http.csrf()
                .disable()
                .cors()
                .and()
                .authorizeHttpRequests()
                .requestMatchers(PathRequest.toStaticResources().atCommonLocations())
                .permitAll()
                .requestMatchers(new AntPathRequestMatcher("/endpoin3/**"))
                .permitAll()
                .requestMatchers(new AntPathRequestMatcher("/error/**"))
                .permitAll()
                .requestMatchers(new AntPathRequestMatcher("/endpoint1/**"))
                .authenticated()
                .requestMatchers(new AntPathRequestMatcher("/endpoint2/**"))
                .authenticated()
                .anyRequest()
                .denyAll()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .addFilterBefore(
                        new Filter1(),
                        UsernamePasswordAuthenticationFilter.class)
                .addFilterBefore(
                        new Filter2(),
                        UsernamePasswordAuthenticationFilter.class)
                .logout()
                .logoutSuccessHandler((request, response, authentication) -> SecurityContextHolder.clearContext());
        return http.build();
    }

I tried to do the following but it did make any difference:

@Bean
    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
        http.csrf()
                .disable()
                .cors()
                .and()
                .authorizeHttpRequests()
                .requestMatchers(PathRequest.toStaticResources().atCommonLocations())
                .permitAll()
                .requestMatchers(new AntPathRequestMatcher("/endpoin3/**"))
                .permitAll()
                .requestMatchers(new AntPathRequestMatcher("/error/**"))
                .permitAll()
                .and()
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers(new AntPathRequestMatcher("/endpoint1/**"))
                        .authenticated()
                        .and()
                        .addFilterBefore(
                                new Filter1(),
                                UsernamePasswordAuthenticationFilter.class))
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers(new AntPathRequestMatcher("/endpoint2/**"))
                        .authenticated()
                        .and()
                        .addFilterBefore(
                                new Filter2(),
                                UsernamePasswordAuthenticationFilter.class))
                .authorizeHttpRequests()
                .anyRequest()
                .denyAll()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .logout()
                .logoutSuccessHandler((request, response, authentication) -> SecurityContextHolder.clearContext());
        return http.build();
    }
    }

I have searched to find an answer to my issue but only found found solutions for Spring boot 2 using antMatchers() methods but it is depricated in Spring Boot 3 because of Spring security 6. I also tried to create multiple SecurityFilterChains with @Bean and @Order annotations on top of them but the filters stoped being triggered on all endpoints.

hajjoujti
  • 3
  • 3

1 Answers1

1

That is true. antMatchers() method is deprecated. Could you try creating two custom request matchers(for endpoint 1 and 2). You can then use those matchers in two separate configuration classes(any class name of choice) where you’d define your specificity for each endpoint. This might help you trigger your filters for the right endpoints.

// Custom request matchers for endpoint paths
private static final RequestMatcher ENDPOINT_1_MATCHER = new AntPathRequestMatcher("/endpoint1/**");
private static final RequestMatcher ENDPOINT_2_MATCHER = new AntPathRequestMatcher("/endpoint2/**");

// Configuration for endpoint 1
@Configuration
public static class Endpoint1SecurityFilter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
                .requestMatcher(ENDPOINT_1_MATCHER)
                .and()
                .authorizeRequests()
                .anyRequest()
                .authenticated();
    }
}

// endpoint 2 configuration
@Configuration
public static class Endpoint2SecurityFilter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
                .requestMatcher(ENDPOINT_2_MATCHER)
                .and()
                .authorizeRequests()
                .anyRequest()
                .authenticated();
    }
} ```


PS: I  honestly don’t feel it is necessary to explicitly configure the absence of filters for endpoint3 since it doesn’t require any filters.

Open to better suggestions here!
Dev-ohene
  • 59
  • 3
  • 1
    It seems that `WebSecurityConfigurerAdapter` got deprecated in version 5.7.0-M2. https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter – hajjoujti May 25 '23 at 19:37