Spring REST Security : Enable Basic Authentication only on a specific endpoint

Question

I have configured Spring Security for my REST API (with HeaderHttpSessionStrategy).

My 'WebSecurityConfigurerAdapter' implementation looks as below.

@Override
    protected void configure(HttpSecurity http) throws Exception {

        http

            .csrf().disable()

            .authorizeRequests()
                .antMatchers("/user/**").authenticated()
                .antMatchers("/**").permitAll()

                .and()
            .requestCache()
                .requestCache(new NullRequestCache())
                .and()

            .httpBasic()
            ;

    }

Now, how can I configure 'HttpSecurity' object so that the basic authentication is only possible with a specific endpoint.

For example:

/user/login : Basic Authentication should only be possible on this end point.After sucessfull authentication x-auth-token header is returned.

/user/create : Client should not be able to authenticate on this endpoint.Should only return 401.Can only be accessed using the 'x-auth-token' created using /user/login endpoint.

sofiaguyang sofiaguyang · Accepted Answer · 2016-11-11T02:59:36

You can define multiple WebSecurityConfigurerAdapters. One of higher priority which has a request matcher to restrict applicability to /user/login like: http.requestMatcher(new AntPathRequestMatcher("/user/login")), and another one as a catch-all for the rest. You can omit the requestMatcher to make the http definition unrestricted.

Spring REST Security : Enable Basic Authentication only on a specific endpoint

2 Answers