I am trying to enable basic http authentication for the actuator endpoints while keeping the jwt authentication for the api endpoints. I tried the following configuration for this:

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.csrf()
        .disable()
        .anonymous()
        .disable()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .antMatcher("/service/actuator/**")
        .httpBasic()
        .and()
        .authorizeRequests()
        .antMatchers("/service/api/**")
        .authenticated()
        .anyRequest()
        .authenticated()
        .and()
        .exceptionHandling()
        .authenticationEntryPoint(restAuthenticationEntryPoint);

    http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
  }

However, it appears that I can use the JWT token and basic auth as well for the actuator endpoints while no authentication also works for all the api endpoints. Did I mess up the order? Is there a better way to do this?

CodePudding user response：

the following worked for me

  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.csrf()
        .disable()
        .anonymous()
        .disable()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests()
        .antMatchers("/service/actuator/**")
        .permitAll()
        .and()
        .httpBasic()
        .and()
        .authorizeRequests()
        .antMatchers("/service/api/**")
        .authenticated()
        .anyRequest()
        .authenticated()
        .and()
        .exceptionHandling()
        .authenticationEntryPoint(restAuthenticationEntryPoint);

    http.addFilterBefore(jwtTokenFilter, UsernamePasswordAuthenticationFilter.class);
  }