Spring Security ResourceServer with multiple Auth support : OAuth + local Basic Auth

I have OAuthServer and ResourceServer which works fine in SSO model. Now I want to add to my ResourceServer additional httpBasic() for ACTUATOR endpoints with local in memory user accounts. is it possible ?

I am getting following error : log Caused by: java.lang.IllegalArgumentException: user should not exist at org.springframework.util.Assert.isTrue(Assert.java:116) ~[spring-core-5.0.0.RC4.jar:5.0.0.RC4] at org.springframework.security.provisioning.InMemoryUserDetailsManager.createUser(InMemoryUserDetailsManager.java:79) ~[spring-security-core-5.0.0.M4.jar:na]

```kotlin @Configuration @EnableResourceServer class ResourceServerConfig : ResourceServerConfigurerAdapter() {

@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
    http
        .cors().and().csrf().disable()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests()
            .antMatchers("/api/**").hasRole("USER")
            .antMatchers("/**").authenticated()
}

}

@Configuration @Order(1) class ActuatorWebSecurityConfigurationAdapter : WebSecurityConfigurerAdapter() {

@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
    http
        .authorizeRequests()
        .requestMatchers(EndpointRequest.to("info")).permitAll()
        .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
        .and()
        .httpBasic()
}

}

@Configuration class AuthenticationConfig : GlobalAuthenticationConfigurerAdapter() {

@Throws(Exception::class)
override fun init(auth: AuthenticationManagerBuilder) {
    auth.inMemoryAuthentication()
        .withUser("sumo").password("demo").roles("ACTUATOR")
        .and()
        .withUser("admin").password("admin").roles("ADMIN", "ACTUATOR")
}

}

Comment From: eleftherias

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.

You may also find this section of the Spring Boot documentation useful for configuring security on actuator endpoints https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-security