In my case it works something like this:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
@Configuration
@Order(1)
public static class RestSecurityConfig extends
WebSecurityConfigurerAdapter {
.. user details service, auth providers etc
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
.and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().httpBasic();
}
}
@Configuration
@Order(2)
public static class WicketSecurityConfig extends
WebSecurityConfigurerAdapter {
.. user details service, auth providers etc
@Override
protected void configure(AuthenticationManagerBuilder auth) throws
Exception {
auth.authenticationProvider(wicketAuthenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/page/**").authorizeRequests()
.antMatchers("/page/login**").permitAll()
.antMatchers("/page/**").hasRole("ROLE")
.and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
.and().csrf().disable();
}
@Override
@Bean(name = "authenticationManager")
public AuthenticationManager authenticationManagerBean() throws
Exception {
return super.authenticationManagerBean();
}
}
}
The RestSecurityConfigwould be what you would do for actuators, for me
thats the REST API.
Not the order of "antMatcher", "authorizeRequests" and " antMatchers".
Zbynek
On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
[email protected]> wrote:
> do you have an example? OR is it just to cut them into two like:
> WebSecurityConfigurerAdapter A:
>
>
> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
>
> WebSecurityConfigurerAdapter B:
> http
> .csrf().disable()
> .authorizeRequests().anyRequest().permitAll()
> .and()
> .logout()
> .permitAll();
> http.headers().frameOptions().disable();
>
>
> On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros <[email protected]>
> wrote:
>
> > Hi,
> >
> > I did similar thing, the trick here is to use two
> > WebSecurityConfigurerAdaptes.
> >
> > Zbynek
> >
> > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> > [email protected]> wrote:
> >
> > > Hope its okay to use the wicket user mailing list for this:)
> > >
> > > First of all thanks to MarcGiffing for making the project. But I cannot
> > get
> > > actuator endpoints to work with spring security and wicket spring
> boot..
> > > I've tried a lot of things..
> > >
> > > IN my WebSecurityConfigurerAdapter:
> > >
> > > http
> > >
> > >
> > >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > >
> > > http
> > > .csrf().disable()
> > > .authorizeRequests().anyRequest().permitAll()
> > > .and()
> > > .logout()
> > > .permitAll();
> > > http.headers().frameOptions().disable();
> > >
> > > But that just disables actuator and messes with the Wicket side of the
> > > security.. Any one have some clues=
> > >
> > > --
> > > Best regards / Med venlig hilsen
> > > Nino Martinez
> > >
> >
>
>
> --
> Best regards / Med venlig hilsen
> Nino Martinez
>
