Why Doesn\'t My Spring Security Configuration with Multiple HTTP Configurations Work?

Spring Security: Multiple HTTP Config Not Functioning

One may encounter a situation where multiple HTTP configurations are desired for tailored login pages and secure URL access, as the following scenario demonstrates:

@Configuration
@Order(1)
public static class ProviderSecurity extends WebSecurityConfigurerAdapter {
    // Security configuration for admin/* routes
}

@Configuration
@Order(2)
public static class ConsumerSecurity extends WebSecurityConfigurerAdapter {
    // Security configuration for consumer/* routes
}

However, this approach may lead to discrepancies where only one configuration is active. To address this, refer to the Spring Security Reference guide:

@EnableWebSecurity
public class MultiHttpSecurityConfig {
    // Authentication configuration

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        // Security configuration for /api/* routes
    }

    @Configuration
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        // Security configuration for all other routes
    }
}

Key points:

• Configure authentication as usual.
• Specify the processing order of multiple configurations using @Order.
• Use antMatcher to limit the scope of specific configurations based on URL patterns.

In the previous example, the issue arises because the first configuration with / antMatcher (which matches all URLs) overrides the second configuration, resulting in the URLs of the second configuration not being secured. By limiting the scope of the first configuration to /admin/ only, the URLs of the second configuration can get proper security mechanisms.

The above is the detailed content of Why Doesn\'t My Spring Security Configuration with Multiple HTTP Configurations Work?. For more information, please follow other related articles on the PHP Chinese website!