Unable to use ResourceServerConfigurerAdapter and WebSecurityConfigurerAdapter in the same project

Question

I have a project that serves web pages that use form login. Now I would like the project to also expose an api that uses oauth. The idea is to have the ResourceServerConfigurerAdapter and WebSecurityConfigurerAdapter setup with requestMatchers to use different paths that don't overlap. However, I get either a OAuth2AuthenticationProcessingFilter or a UsernamePasswordAuthenticationFilter, but not both.

ResourceServerConfigurerAdapter:

@Override
public void configure(HttpSecurity http) throws Exception {
    http
        .requestMatchers()
        .mvcMatchers("/api/**")
        ...
}

If my WebSecurityConfigurerAdapter does not use any requestMatchers, I get a UsernamePasswordAuthenticationFilter but no OAuth2AuthenticationProcessingFilter.

http
    .authorizeRequests()
    ...

If on the other hand I use any request matcher at all in the WebSecurityConfigurerAdapter, no matter how specific, I get a OAuth2AuthenticationProcessingFilter but no UsernamePasswordAuthenticationFilter.

http
    .requestMatchers()
    .mvcMatchers("/anything")
    .authorizeRequests()
    ...

Solutions?

Or should I just go about this a different way? For instance, create a new project for the api? (even though that will mean duplicating some code, such as domain objects)

Answer 1

Consider Annotating ResourceServerConfigurerAdapter with @Order(40) and implement configure(HttpSecurity http) as the following:

 http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated();

annotate WebSecurityConfigurerAdapter with @Order(50). Tested on spring boot 1.5.7.

try to secure all possible paths in the security configuration with the highest order.

Spring creates one security filter chain for security configuration in ResourceServerConfigurerAdapter and another for security configuration in WebSecurityConfigurerAdapter