How to configure different paths with Spring Security?

Question

I have struggling to configure security for some different paths I have.

I would like this structure:

/actuator/health <-- open
/api/** <-- hasAnyAuthority
/auth/** <-- basic authentication
all others no access

So far this is what I have

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/**") // If you want to override the security provided by Spring Boot.
            .addFilter(preAuthFilter())
            .cors()
                .and()
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/actuator/health").permitAll()
                .antMatchers("/api/**").hasAnyAuthority("something")
                .antMatchers("/auth/**").authenticated()
                .and()
            .httpBasic();
    }

I would like to add .anyRequest().denyAll() but that doesn't seem to be possible after httpBasic().

Can anyone confirm that the above code will be the same as what I would like?

Answer 1

Example on how to split configuration by path:

@Configuration
public class ApiSecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/api/**")
            .authorizeRequests()
                .antMatchers("/api/public/**", "/api/register").anonymous() //if you need to allow some path in api
                .antMatchers("/api/**", "/api/register/**").hasRole("API_USER")
            .and()
                .formLogin()
                    .loginPage("/api/")
                    .failureHandler(failureHandler())
                    .loginProcessingUrl("/api/login")
                    .usernameParameter("username")
                    .passwordParameter("password")
                    .successHandler(successHandler())
            .and()
                .logout()
                    .logoutUrl("/api/logout")
                    .logoutSuccessUrl("/api/")
                    .invalidateHttpSession(true)
            .and()
                .rememberMe()
                    .key("something")
            .and()
                .csrf().disable()
            .exceptionHandling()
                .accessDeniedPage("/api/loginfailed");
    }
}

Second path:

@Configuration
public class AuthSecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/auth/**")
            .authorizeRequests()
                .antMatchers("/auth/register").anonymous()
                .antMatchers("/auth/**", "/auth/register/**").hasRole("USER")
            .and()
                .formLogin()
                    .loginPage("/auth/")
                    .failureHandler(failureHandler())
                    .loginProcessingUrl("/auth/login")
                    .usernameParameter("username")
                    .passwordParameter("password")
                    .successHandler(successHandler())
            .and()
                .logout()
                    .logoutUrl("/auth/logout")
                    .logoutSuccessUrl("/auth/")
                    .invalidateHttpSession(true)
            .and()
                .rememberMe()
                    .key("something")
            .and()
                .csrf().disable()
            .exceptionHandling()
                .accessDeniedPage("/auth/loginfailed");
    }
}

Now since you have not added security for /actuator/health you can either leave it without one or you can make another adapter for it and permit access to everyone.

Also you should use csrf protection, it is easy to implement.