Spring multiple authentication methods for different api endpoints

spring spring-boot jwt x509 spring-security

You have two filter chains. Neither of them have an entry point pattern properly configured http.antMatcher. That means they are configured to use /** as their entry point pattern.

For example

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()

is the same thing as saying:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/**")
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()

What we are saying here is

  1. http - the security filter chain
  2. http.antMatcher - the entry point to the security filter chain
  3. http.authorizeRequests - start of my endpoint access restrictions
  4. http.authorizeRequests.antMatchers - list of URLs with specific access

So what you need to do is change your @Order(1) filter chain to narrow down the pattern. For example: http.antMatcher("/api/transaction/**")

Your configuration will now look like


    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/api/transaction/**") //customized entry point
                .authorizeRequests()
                .antMatchers("/api/transaction/testf").authenticated().and()
                .x509()
                .subjectPrincipalRegex("CN=(.*?)(?:,|$)")
                .userDetailsService(new X509UserDetailsService())
                ;
        }
    }

    @Configuration
    @Order(2)
    public static class ApiTokenSecurityConfig extends WebSecurityConfigurerAdapter{

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/**") //this is default
                .authorizeRequests()
                .antMatchers("/oauth/token", "/api/dealer/login").permitAll()
                .and()
                .authorizeRequests()
                .anyRequest()
                .authenticated()
                ;
        }

With your existing configuration the filter chain named ApiWebSecurityConfig will trap all calls. The other filter chain, ApiTokenSecurityConfig, is never used.

You can see another description in this answer

SpringSecurity: Make RESTful API basic-auth authentication possible via only a single endpoint

Related

How to match something with regex that is not between two special characters?
Why does numpy have a corresponding function for many ndarray methods?
Why is True equal to -1
How to make a tkinter canvas rectangle transparent?
new FormData() "application/x-www-form-urlencoded"
Populating dropdown with JSON result - Cascading DropDown using MVC3, JQuery, Ajax, JSON
Is there a way to tell if I've sold anything during my current playthrough?
How does the copper experience pig work?
How do I join a custom game from spectator mode?
How do I use my boosters?
Where can I find a Husk Bully?
What is the max stack I can get of an item?