How to allow “/api/**” through my basic auth config and into my oauth config in Spring Security

Question

I have an app that uses both Basic Auth and OAuth2.

Some URLs are authorized using Basic Auth and \"/api/**\" is authorized using OAuth2.

Currently, I have t

Answer 1

You should use Order(...) annotation on @Configuration classes. Make your OAuth2ServerConfig config first and serving only http.requestMatchers().antMatchers("/api/**") and make your WebSecurityConfig second (@Order(2)) without http.requestMatchers() to serve all rest URLs!

See details on https://stackoverflow.com/a/44871933/173149

Answer 2

You can use NegatedRequestMatcher:

A RequestMatcher that will negate the RequestMatcher passed in. For example, if the RequestMatcher passed in returns true, NegatedRequestMatcher will return false. If the RequestMatcher passed in returns false, NegatedRequestMatcher will return true.