Spring Security: Multiple HTTP Config Not Functioning
One may encounter a situation where multiple HTTP configurations are desired for tailored login pages and secure URL access, as the following scenario demonstrates:
@Configuration @Order(1) public static class ProviderSecurity extends WebSecurityConfigurerAdapter { // Security configuration for admin/* routes } @Configuration @Order(2) public static class ConsumerSecurity extends WebSecurityConfigurerAdapter { // Security configuration for consumer/* routes }
However, this approach may lead to discrepancies where only one configuration is active. To address this, refer to the Spring Security Reference guide:
@EnableWebSecurity public class MultiHttpSecurityConfig { // Authentication configuration @Configuration @Order(1) public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { // Security configuration for /api/* routes } @Configuration public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { // Security configuration for all other routes } }
Key points:
In the previous example, the issue arises because the first configuration with / antMatcher (which matches all URLs) overrides the second configuration, resulting in the URLs of the second configuration not being secured. By limiting the scope of the first configuration to /admin/ only, the URLs of the second configuration can get proper security mechanisms.
The above is the detailed content of Why Doesn\'t My Spring Security Configuration with Multiple HTTP Configurations Work?. For more information, please follow other related articles on the PHP Chinese website!