Thanks will try it:)
On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros <[email protected]>
wrote:
> In my case it works something like this:
>
> @Configuration
> @EnableWebSecurity
> public class SecurityConfiguration {
>
> @Configuration
> @Order(1)
> public static class RestSecurityConfig extends
> WebSecurityConfigurerAdapter {
>
> .. user details service, auth providers etc
>
> @Override
> protected void configure(HttpSecurity http) throws Exception {
>
> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
> .and().csrf().disable()
>
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> .and().httpBasic();
> }
> }
>
> @Configuration
> @Order(2)
> public static class WicketSecurityConfig extends
> WebSecurityConfigurerAdapter {
>
> .. user details service, auth providers etc
>
> @Override
> protected void configure(AuthenticationManagerBuilder auth) throws
> Exception {
> auth.authenticationProvider(wicketAuthenticationProvider);
> }
>
> @Override
> protected void configure(HttpSecurity http) throws Exception {
> http.antMatcher("/page/**").authorizeRequests()
> .antMatchers("/page/login**").permitAll()
> .antMatchers("/page/**").hasRole("ROLE")
>
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> .and().csrf().disable();
> }
>
> @Override
> @Bean(name = "authenticationManager")
> public AuthenticationManager authenticationManagerBean() throws
> Exception {
> return super.authenticationManagerBean();
> }
> }
> }
>
> The RestSecurityConfigwould be what you would do for actuators, for me
> thats the REST API.
> Not the order of "antMatcher", "authorizeRequests" and " antMatchers".
>
> Zbynek
>
> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
> [email protected]> wrote:
>
> > do you have an example? OR is it just to cut them into two like:
> > WebSecurityConfigurerAdapter A:
> >
> >
> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> >
> > WebSecurityConfigurerAdapter B:
> > http
> > .csrf().disable()
> > .authorizeRequests().anyRequest().permitAll()
> > .and()
> > .logout()
> > .permitAll();
> > http.headers().frameOptions().disable();
> >
> >
> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros <[email protected]>
> > wrote:
> >
> > > Hi,
> > >
> > > I did similar thing, the trick here is to use two
> > > WebSecurityConfigurerAdaptes.
> > >
> > > Zbynek
> > >
> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> > > [email protected]> wrote:
> > >
> > > > Hope its okay to use the wicket user mailing list for this:)
> > > >
> > > > First of all thanks to MarcGiffing for making the project. But I
> cannot
> > > get
> > > > actuator endpoints to work with spring security and wicket spring
> > boot..
> > > > I've tried a lot of things..
> > > >
> > > > IN my WebSecurityConfigurerAdapter:
> > > >
> > > > http
> > > >
> > > >
> > > >
> > >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > > >
> > > > http
> > > > .csrf().disable()
> > > > .authorizeRequests().anyRequest().permitAll()
> > > > .and()
> > > > .logout()
> > > > .permitAll();
> > > > http.headers().frameOptions().disable();
> > > >
> > > > But that just disables actuator and messes with the Wicket side of
> the
> > > > security.. Any one have some clues=
> > > >
> > > > --
> > > > Best regards / Med venlig hilsen
> > > > Nino Martinez
> > > >
> > >
> >
> >
> > --
> > Best regards / Med venlig hilsen
> > Nino Martinez
> >
>
--
Best regards / Med venlig hilsen
Nino Martinez
