I would like that for every url that is not under path /cobrands
and /fdt
a request for password. If I'm asking for example for /fdt/name
I should not be asked for the http authentication.
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
/** code **/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling().authenticationEntryPoint(entryPoint()).and()
.authorizeUrls()
.antMatchers("/**").hasAnyAuthority("wf_cobrand_lettura", "wf_cobrand_fdt")
.antMatchers("/cobrands/*").permitAll()
.antMatchers("/fdt/*").permitAll()
.and()
.httpBasic();
}
}
Matchers are processed in order, so your
.antMatchers("/**")
catches all requests and the two remaining matchers are never evaluated.
Put it this way round:
http.exceptionHandling().authenticationEntryPoint(entryPoint()).and()
.authorizeUrls()
.antMatchers("/cobrands/*").permitAll()
.antMatchers("/fdt/*").permitAll()
.antMatchers("/**").hasAnyAuthority("wf_cobrand_lettura", "wf_cobrand_fdt")
.and()
.httpBasic();