In my spring boot application we've currently 2 types of accesses, permitAll for a handful of URIs stored in String[] ALLOWED_WITHOUT_AUTHENTICATION.
For rest (/**), we've applied oauth2Login. Then we added a securityContext.
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests().antMatchers(ALLOWED_WITHOUT_AUTHENTICATION).permitAll()
.and().authorizeRequests()
.antMatchers("/**").authenticated()
.and().oauth2Login().userInfoEndpoint().oidcUserService(myOidcUserService).customUserType(MyOidcUser.class, "customUser")
.and().defaultSuccessUrl(authSuccessURL, true).failureUrl(userNotAuthenticatedURL)
.and().securityContext().securityContextRepository(new CookieSecurityContextRepository(myAuthCookieHelper))
.and().exceptionHandling().authenticationEntryPoint(getAuthenticationEntryPoint());
Now I want to added basic authentication for few URIs stored in String[] AUTHENTICATED_WITH_BASIC_AUTH.
So I've written below code :
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests().antMatchers(ALLOWED_WITHOUT_AUTHENTICATION).permitAll()
.and().authorizeRequests()
.antMatchers(Constants.AUTHENTICATED_WITH_BASIC_AUTH).authenticated()
.and().httpBasic().authenticationEntryPoint(myBasicAuthenticationEntryPoint())
.and().exceptionHandling().accessDeniedPage("/403")
.and().authorizeRequests()
.antMatchers("/**").authenticated()
.and().oauth2Login().userInfoEndpoint().oidcUserService(myOidcUserService).customUserType(MyOidcUser.class, "customUser")
.and().defaultSuccessUrl(authSuccessURL, true).failureUrl(userNotAuthenticatedURL)
.and().securityContext().securityContextRepository(new CookieSecurityContextRepository(myAuthCookieHelper))
.and().exceptionHandling().authenticationEntryPoint(getAuthenticationEntryPoint());
But I do not want to apply securityContext to URIs which are authenticated with basic auth.
How can I segregate these two?
