I want to implement authentication and authorization for spring boot application with this design:
First group of endpoints (“/api/**) will have authorization by passing the api-secret-key through requests headers. Authentication should be permitted for all.
Second group (/admin/**) will have authentication by hitting the /login endpoint passing username and password where I will have custom UserDetailService. If the authentication is good, the token will be returned and used for authorizing for other endpoints.
I had idea to implement:
- Two WebSecurityConfiguration (s)
- Two Filters
I am constantly failing and I think the problem is in my aproach to the problem. Here is the initial question that has already implemented code, but I would like someone to suggest different approach
Advertisement
Answer
I think a simpler solution might be to match the path prefix first (using ant/path pattern), then define an authentication criterion for that path in line.
This is very similar to the usual examples (see example usage https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/builders/HttpSecurity.html).
Is the “api-secret-key” the same for all users of the api endpoint? If so, you could just create a shared “user” to satisfy this requirement (which is what spring does by default), although this is NOT secure in general. If not, then what is the criterion for validating the “api-secret-key”?
You shouldn’t need multiple filter chains to check these criteria (see filter chain docs https://docs.spring.io/spring-security/reference/servlet/architecture.html).