danvega
commented
1 year ago Why did you create a separate filter chain? This could all be done in a single configuration.
Closed ch4mpy closed 1 year ago
danvega
commented
1 year ago Why did you create a separate filter chain? This could all be done in a single configuration.
ch4mpy
commented
1 year ago The tokenSecurityFilterChain applies to /token end-point only so that basic auth is enabled for token endpoint (and not the rest of the app which should be protected with JWT Bearer):
http.securityMatcher(new AntPathRequestMatcher("/token"));Also the @Order(Ordered.HIGHEST_PRECEDENCE) is important so that this filterchain with securityMatcher is evaluated before the one that serves as default:
/token, then tokenSecurityFilterChain is applied (basic auth is expected)securityFilterChain is matched (no securityMatcher restriction) and JWT decoder conf is appliedI added tests to assert that basic auth can be used on /token endpoint only. Try to add this new test on your main branch, it should not pass.
danvega
commented
1 year ago Ahh I see, that makes sense. Thank you!
Demo how to apply basic authentication to
/tokenend-point only.