I'm using Spring Boot Security with OAuth2. I wan't to disable security for health endpoint.
I can totally disable security or write my own implementation of WebSecurityConfigurerAdapter and disable autoconfigured one.
But how to modify existing implementation of WebSecurityConfigurerAdapter (OAuth2SsoDefaultConfiguration)?
I tried to create my own configuration without disabling autoconfigured one, but it is impossible due to Order conflicts.
Here is the error message:
Caused by: java.lang.IllegalStateException: @Order on WebSecurityConfigurers must be unique.
Order of 100 was already used on SecurityConfiguration$$EnhancerBySpringCGLIB$$9505fc58@13f182b9,
so it cannot be used on
org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2SsoDefaultConfiguration$$EnhancerBySpringCGLIB$$dc290e2b@5ee0cf64 too.
Also, I tried to explicitly set higher order for my own security configuration, but looks like autoconfigured one overrides mine.
So how to override specific security rules without reimplementing whole configuration?
You need to implement the following method in your
@SpringBootApplication class
@SpringBootApplication
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Configuration
public class BusinessLogicServiceApplication extends ResourceServerConfigurerAdapter {
public static void main(String[] args) throws IOException {
ConfigurableApplicationContext context =
SpringApplication.run(BusinessLogicServiceApplication.class, args);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/health").permitAll().anyRequest().authenticated();
}
}