How to allow “/api/**” through my basic auth config and into my oauth config in Spring Security

Question

I have an app that uses both Basic Auth and OAuth2.

Some URLs are authorized using Basic Auth and \"/api/**\" is authorized using OAuth2.

Currently, I have t

Answer 1

You should use Order(...) annotation on @Configuration classes. Make your OAuth2ServerConfig config first and serving only http.requestMatchers().antMatchers("/api/**") and make your WebSecurityConfig second (@Order(2)) without http.requestMatchers() to serve all rest URLs!

See details on https://stackoverflow.com/a/44871933/173149