I am trying to assign custom-filters to specific security-chains in spring-security 6.1 which works but the request-matchers are not correctly resolved
I have the following chains
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange(requests -> {
requests
.requestMatchers("/my-custom-path/**").permitAll()
.anyExchange().authenticated();
}).httpBasic(Customizer.withDefaults())
.userDetailsService(userDetailsService())
.addFilter(new CustomizedAuthentication());
return http.build();
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange(requests -> {
requests
.requestMatchers("/token").permitAll()
.anyExchange().authenticated();
}).httpBasic(Customizer.withDefaults())
.userDetailsService(userDetailsService())
.addFilter(new CustomFilter1());
return http.build();
}
When I try to access the endpoint /token everything works fine. But if I try to access /my-custom-path/ServiceProviderConfig the other filterChain (from /token) is executed with the wrong custom-filter. How can this happen?
Comment From: marcusdacoregio
Hi, @Captain-P-Goldfish. It seems to me that what you are trying to do is to use securityMatchers, please read the documentation about it https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html#security-matchers
Comment From: Captain-P-Goldfish
thx. Works with securityMatchers. Did not find the correct part in the documentation:
http.securityMatcher("/my-custom-path/**")
.securityContext(configurer -> configurer.requireExplicitSave(false))
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(requests -> requests.anyRequest().authenticated())
.addFilterBefore(new ClientCredentialsAuthenticationFilter(), BasicAuthenticationFilter.class)
.userDetailsService(userDetailsService())
;