java - WebSecurityConfigurer for oauth2 and another authentication provider

Question

I have 2 type of users on my app. One type who can use an LDAP AuthenticationProvider and the other who can use Salesforce Oauth2. They both need to access my APIs.

I have the following in my WebSecurityConfigurerAdapter :

        // Config for LDAP
    httpSecurity
        .csrf().disable().headers().frameOptions().deny()
        .and()      
        .authorizeRequests().antMatchers("/admin/login").permitAll().       
        antMatchers("/admin/**").authenticated()
        .and().exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);

        // Config for Salesforce Oauth2
    httpSecurity.csrf().disable().headers().frameOptions().deny().and().
        authorizeRequests().antMatchers("/client/**").authenticated()
         .and()
         .oauth2Login()
         .userInfoEndpoint()
         .userService(myOAuth2UserService);

I thought I could use both of these configuration in the same WebConf but it doesn't work as expected since when I call /client I have an error 401. But it works well if I deleted the first LDAP configuration.

Is there a way to implement a configuration with both authentification solution ?

question from:https://stackoverflow.com/questions/65885685/websecurityconfigurer-for-oauth2-and-another-authentication-provider

Answer 1

You can use Providers to for each of your implementation and then register this provider with Spring AuthenticationManager.

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
    @Override
    public Authentication authenticate(Authentication auth) 
      throws AuthenticationException {
        //Implementaton for Authentication
    }

    @Override
    public boolean supports(Class<?> auth) {
        return auth.equals(UsernamePasswordAuthenticationToken.class);
    }
}

Now in your WebSecurityConfigurerAdapter, you can register multiple auth providers

@EnableWebSecurity
public class MultipleAuthProvidersSecurityConfig 
  extends WebSecurityConfigurerAdapter {
    @Autowired
    CustomAuthenticationProvider customAuthProvider;

    @Override
    public void configure(AuthenticationManagerBuilder auth) 
      throws Exception {

        auth.authenticationProvider(customAuthProvider);
        auth.inMemoryAuthentication()
            .withUser("memuser")
            .password(encoder().encode("pass"))
            .roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic()
            .and()
            .authorizeRequests()
            .antMatchers("/api/**")
            .authenticated();
    }
    
     
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

Here in this example, there is one CustomAuthenticationProver and other is InMemoryAuthentication provider. You could always write implementations of your own providers.

Source: https://www.baeldung.com/spring-security-multiple-auth-providers