Spring Security spring-multi-filterchain (mix : oauth2Login & oauth2ResourceServer)

Hi

I am a little bit confused using spring-multi-filterchain when i mix oauth2Login & oauth2ResourceServer (SB 3.0.5)

I read some recommendations from @marcusdacoregio , but i m failing testing this case.

I have only one REST API : /api/test Problem : When i call this API, i am redirect to the authentication page (keycloak) like if i try to acces a webpage.

1 - oauth2ResourceServer (only /api/** is protected)

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

  http
    .securityMatcher("/api/**")
    .authorizeHttpRequests()
    .anyRequest().authenticated();

  http
    .exceptionHandling()
    .authenticationEntryPoint(new RestAuthenticationEntryPoint()); //Bearer Absent

  http
    .oauth2ResourceServer()
    .authenticationEntryPoint(new OAuth2AuthenticationEntryPoint()) // Bearer mal formé (ex : 1234567890)
    .accessDeniedHandler(new OAuth2AccessDeniedHandler()) //Bearer bien formé mais non coforme (ex : expiration)
    .jwt()
    .jwtAuthenticationConverter(jwtAuthenticationConverter());

  return http.build();

}

2 - oauth2Login (all web html page will ask for authentication)

@Bean
public SecurityFilterChain clientSecurityFilterChain(HttpSecurity http) throws Exception {

  http
    .authorizeHttpRequests(authz -> authz
      .requestMatchers(WHITELIST).permitAll()
      .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
      .requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
      .anyRequest().authenticated());

  http
    .oauth2Login()
    .clientRegistrationRepository(clientRegistrationRepository);

  http
    .logout()
    .logoutSuccessHandler(oidcLogoutSuccessHandler());

  return http.build();
}

Separately it's working, but together, i am missing something.

Maybe could you help or give some advice ?

Thanks

Comment From: jzheaux

Hi, @SylvainAssemat, thanks for reaching out, and sorry you are having trouble. It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.