Deprecate WebSecurityConfigurerAdapter and move to SecurityFilterChain-CodePudding

My current application has the next two web security configurations handled by orders.

Interactive/web users authentication:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
    // Needed for method access control via the @Secured annotation
    prePostEnabled = true,
    jsr250Enabled = true,
    securedEnabled = true
)
@Profile({"cognito"})
@Order(2)
public class CognitoSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @SneakyThrows
    @Override
    protected void configure(HttpSecurity http) {
        http
            // TODO disable CSRF because when enabled controllers aren't initialized
            //  and if they are, POST are getting 403
            .csrf().disable()

            .authorizeRequests()
            .anyRequest().authenticated()

            .and()
            .oauth2Client()

            .and()
            .logout()

            .and()
            .oauth2Login()
            .redirectionEndpoint().baseUri("/login/oauth2/code/cognito")
            .and()
        ;
    }
}

REST clients authentication:

/**
 * Allow users to use a token (id-token, jwt) instead of the interactive login.
 * The token is specified as the "Authorization: Bearer ..." header.
 * </p>
 * To get a token, the cognito client-app needs to support USER_PASSWORD_AUTH then use the following command:
 * <pre>
 *     aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --output json \
 *         --region $region --client-id $clientid --auth-parameters "USERNAME=$username,PASSWORD=$password" \
 *         | jq .AuthenticationResult.IdToken
 * </pre>
 */
@Slf4j
@Configuration
@Profile({"cognito"})
@Order(1)
public class CognitoTokenBasedSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @SneakyThrows
    @Override
    protected void configure(HttpSecurity http) {
        http
            .requestMatcher(new RequestHeaderRequestMatcher("Authorization"))
            .authorizeRequests().anyRequest().authenticated()
            .and().oauth2ResourceServer().jwt()
        ;
    }

}

After upgrading my SpringBoot dependencies, I have switched into SecurityFilterChain bean. I have tried to update the filter chain but I keep getting this error Can't configure antMatchers after anyRequest.

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        // TODO disable CSRF because when enabled controllers aren't initialized
        //  and if they are, POST are getting 403
        .csrf().disable()

        .authorizeRequests()
        .anyRequest().authenticated()

        .and()
        .oauth2Client()

        .and()
        .logout()

        .and()
        .oauth2Login()
        .redirectionEndpoint().baseUri("/login/oauth2/code/cognito")
        .and()

    http.authorizeRequests()
            .anyRequest().authenticated()
            .and().oauth2ResourceServer().jwt();

    return http.build();
}

Any assistance is appreciated.

CodePudding user response：

Define .anyRequest().authenticated() only once:

@Bean
 public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
        //TODO disable CSRF because when enabled controllers aren't initialized
        //and if they are, POST are getting 403
       .csrf().disable()
       .oauth2Client()      
       .and()
       .logout()
       .and()
       .oauth2Login()
       .redirectionEndpoint().baseUri("/login/oauth2/code/cognito");

        http.authorizeRequests() 
        .anyRequest().authenticated().and()
        .oauth2ResourceServer().jwt();

        return http.build();
    }