I am creating an API that is mostly secured with the Okta spring boot starter. However, I also have an endpoint that I want to be secured by Basic Auth instead of OAuth2 (or at least have it be an option).
Most Spring Security documentation indicates that I should create two WebSecurityConfigurerAdapter
classes, and that the last one indicated by Order()
will be the fallback. This seems to work as expected when okta-spring-boot isn’t included, but it appears that the autoconfiguration seems to apply globally to all authenticated requests.
Here is an example of something I expected to work, but does not (the endpoint rejects requests without a valid bearer token):
@Order(1)
@Configuration
public static class RefreshSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/actuator/refresh")
.csrf().disable()
.formLogin().disable()
.httpBasic().and()
.authorizeRequests()
.anyRequest().authenticated().and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
@Order(2)
@Configuration
public static class EndpointSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated();
Okta.configureResourceServer401ResponseBody(http);
}
}
Is there some configuration I can add to the first WebSecurityConfigurerAdapter
to disable the BearerTokenAuthenticationFilter
in that filter chain?