I am using a custom Spring Boot Starter for developing several microservices. That starter should contain some basic security configurations which I can use depending on which profile I am using in my service.
I am using a HttpSecurityConfigurer like this:
@Configuration
@ConditionalOnSingleCandidate(HttpSecurityConfigurer.class)
public class HttpSecurityConfigurerImpl implements HttpSecurityConfigurer {
@Override
public HttpSecurity configure(HttpSecurity http) throws Exception {
http.sessionManagement(c -> c.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
http.authorizeHttpRequests(c -> c
.requestMatchers("/actuator/health", "/actuator/liveness").permitAll()
.anyRequest().authenticated())
.httpBasic(Customizer.withDefaults())
.csrf(AbstractHttpConfigurer::disable);
return http;
}
}
Than I have additional configuration to enable / disable Swagger-UI access:
@Configuration
@Slf4j
@EnableWebSecurity
@RequiredArgsConstructor
@ConditionalOnProfilesActive(value = Profiles.NOAUTH, match = Matching.NONE)
@ConditionalOnProperty(name = SwaggerProperties + "unrestricted", havingValue = "true")
public class SecurityConfigSwaggerUiAutoConfiguration {
@Bean
@Order(2)
public SecurityFilterChain swaggerUiSecurityFilterChain(HttpSecurity http) throws Exception {
System.out.println("SwaggerUi");
http.securityMatcher("/swagger-ui/**).authorizeHttpRequests(requests ->
requests.anyRequest().permitAll()
);
http.httpBasic(Customizer.withDefaults());
return http.build();
}
}
Than I can enable LDAP access bei profile:
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@ConditionalOnProfilesActive(LDAP)
@Slf4j
public class SecurityConfigLdapAutoConfiguration {
private final HttpSecurityConfigurer httpSecurityConfigurer;
@Bean
@Order(3)
public SecurityFilterChain ldapSecurityFilterChain(HttpSecurity http) throws Exception {
System.out.println("LDAP");
return httpSecurityConfigurer.configure(http).build();
}
@Bean
public CachingAuthenticationProvider ldapAuthenticationManager() {
var authenticationProvider = new ActiveDirectoryLdapAuthenticationProvider("my.domain", "my.url", "my.base");
authenticationProvider.setSearchFilter("my.searchFilter");
return new CachingAuthenticationProvider(authenticationProvider);
}
}
So far, everything works fine. But now I want to add a new Profile for doing SAML authentication with a SAML Token. Therefore I added another Configuration:
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
@ConditionalOnProfilesActive(SAML)
@Slf4j
public class SecurityConfigSamlHeaderAutoConfiguration {
@Bean
@Order(3)
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
System.out.println("SAML");
http.securityMatcher("/api/**")
.authorizeHttpRequests(authorizeRequests -> authorizeRequests
.anyRequest().authenticated())
.apply(samlLogin())
;
return http.build();
}
@Bean
public CachingAuthenticationProvider authenticationProvider() {
var authenticationProvider = new ActiveDirectoryLdapAuthenticationProvider(
"my.domain",
"my.url",
"my.base"
);
authenticationProvider.setSearchFilter(my.searchFilter);
return new CachingAuthenticationProvider(authenticationProvider);
}
}
But now, when I choose SAML profile it gives me an error:
Error creating bean with name '.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChains' parameter 0: Error creating bean with name 'securityFilterChain' defined in class path resource [com/my/basestarter/config/security/SecurityConfigSamlHeaderAutoConfiguration.class]: Failed to instantiate [.springframework.security.web.SecurityFilterChain]: Factory method 'securityFilterChain' threw exception with message: Can't configure mvcMatchers after anyRequest"
Can anybody help me finding the error? I thought I could do somethink similar like I did for the Swagger Configuration. But seems that I am missing something.