Multiple security configurations and antMatcher() invocations

Questions
1

Hi,

I’m in the process of adding okta authentication to to a Spring Boot 2.2.0 application (Kotlin). I’ve been using version 1.4.0 of the okta-spring-boot-starter library.

I’ve been successful in getting a simple authentication scheme work with my okta developer account. Simple in this context means that all calls to backend (with a few exceptions) are authenticated.

@Configuration
@EnableWebSecurity
class SecurityConfiguration() : WebSecurityConfigurerAdapter() {

    override fun configure(http: HttpSecurity) {
        http.antMatcher("/api/**")
            .authorizeRequests().anyRequest().authenticated()
            .and().oauth2Login()
            .and().oauth2Client()
    }
}

(In addition to the above configuration, I’ve tried other ways to configure but this way relates most to my oncoming question)

Now my goal is to authenticate all requests that come to /api/** with okta and all requests that come to /foo/** and /bar/** with a custom filter.

My understanding is that this could be achieved by adding another security configuration and having @Order() annotation in both configs to set the priority.

My second configuration would then look like this

@Configuration
@EnableWebSecurity
@Order(2)
class SecondSecurityConfiguration(private val customFilter: MyCustomFilter) : WebSecurityConfigurerAdapter() {

    override fun configure(http: HttpSecurity) {
        http.antMatcher("/foo/**")
              .otherCustomFilterRelatedBuilding
    }
}

However, adding this second config breaks the okta authentication as follows:

  1. Navigating to http://localhost:8080/api/whatever -> redirect to http://localhost:8080/oauth2/authorization/okta
  2. Application responds with 404 to http://localhost:8080/oauth2/authorization/okta

Even if the second config has one line, http.antMatcher("/foo/**"), which shouldn’t do anything (to my understanding), the above behaviour is observed.

Also, if I comment out the antMatcher from the second config, authentication works as I expect.

So my questions are

  1. Are multiple antMatcher() invocation not possible with this okta authentication setup?
  2. If the answer to 1. is yes, then how would I go about having different url patterns be authenticated with okta and other patterns authenticated with something else?

Thank you in advance and please ask if the information I’ve provided is lacking anything. This area is all quite new to me.

Br, Antti