I am trying to use OAuth 2.0 to secure my API's endpoints together with the default actuator security. I can get either of them to work independently but not together
For OAuth, I have the following FilterChain
public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.csrf(AbstractHttpConfigurer::disable)
.formLogin(AbstractHttpConfigurer::disable)
.oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()))
.sessionManagement(sessionManagement ->
sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
return http.build();
}
My spring security configuration looks likes this
security:
user.name: admin
user.password: somepassword
oauth2:
resource-server:
jwt:
issuer-uri: {MY ISSUER URI}
I also have management.security.enabled=true
I would expect that the actuator endpoints use basic authentication asking for username and password and all other endpoints should use OAuth.
I have also tried adding a second FilterChain with different order for actuator, but that also doesn't work
@Bean
@Order(Ordered.LOWEST_PRECEDENCE - 1)
public SecurityFilterChain actuatorFilterChain(HttpSecurity http, MvcRequestMatcher.Builder mvc) throws Exception {
http.authorizeHttpRequests(authorize -> authorize
.requestMatchers(mvc.pattern(HttpMethod.GET, "/actuator/**")).authenticated()
).httpBasic(Customizer.withDefaults());
return http.build();
}
Is there a standard way to implement this usecase?