Closed ch4mpy closed 1 year ago
Why did you create a separate filter chain? This could all be done in a single configuration.
The tokenSecurityFilterChain
applies to /token
end-point only so that basic auth is enabled for token endpoint (and not the rest of the app which should be protected with JWT Bearer):
http.securityMatcher(new AntPathRequestMatcher("/token"));
Also the @Order(Ordered.HIGHEST_PRECEDENCE)
is important so that this filterchain with securityMatcher
is evaluated before the one that serves as default:
/token
, then tokenSecurityFilterChain
is applied (basic auth is expected)securityFilterChain
is matched (no securityMatcher
restriction) and JWT decoder conf is appliedI added tests to assert that basic auth can be used on /token
endpoint only. Try to add this new test on your main branch, it should not pass.
Ahh I see, that makes sense. Thank you!
Demo how to apply basic authentication to
/token
end-point only.