'WebSecurity.ignoring() in ResourceServerConfigurerAdapter

I'm currently implementing oauth2 through Cognito for my Spring Boot API. As a part of configuring Spring Security, I set up my ResourceServerConfigurerAdapter with an override of configure(HttpSecurity http). However I also needed to use the configure(WebSecurity webSecurity) override in order to use WebSecurity.ignoring. Several of my endpoints need to be publicly accessible.

So this led to me having a WebSecurityConfigurerAdapter as well as my ResourceServerConfigurerAdapter. The problem arose with csrf though. The ResourceServerConfig is disabling csrf, but the WebSecurityConfig was apparently taking precedence and now all my endpoints require csrf. Overriding the configure(HttpSecurity) in the WebSecurityConfig to disable csrf fixes the issue but seems wrong to me. I'd like to not have to override and mess with HttpSecurity twice, and ResourceServerConfig doesn't have a webSecurity.ignoring option to my knowledge.

Here's my code for the two below

WebSecurityConfiguration @Configuration @EnableWebSecurity(debug = true) public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        //Disabling this fixes the csrf issue.
        http.csrf().disable();

    }
    @Override
    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers("/api/auctions/**");
        webSecurity.ignoring().antMatchers("/api/lots/**");
    }
}

ResourceServerConfiguration

@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends ResourceServerConfigurerAdapter {

    private final ResourceServerProperties resource;

    public SecurityConfiguration(ResourceServerProperties resource) {
        this.resource = resource;
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.cors();
        http.csrf().disable();

        http.authorizeRequests().antMatchers("/**").permitAll().anyRequest().permitAll();
    }

    // Enabling Cognito Converter
    @Bean
    public TokenStore jwkTokenStore() {
        return new JwkTokenStore(
                Collections.singletonList(resource.getJwk().getKeySetUri()),
                new CognitoAccessTokenConverter(),
                null);
    }
}

I mostly just want some guidance on what the best path on this is. I've done some digging online and there's conflicting and outdated answers, and everyone seems to be doing very different things with these configurations.

spring-bootspring-securityoauth-2.0amazon-cognitospring-security-oauth2


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

How to return 404 for pages that do not exist when using Grails Spring Security Plugin

spring sas 0.2.0 access_token throw 'Access is denied'

AuthenticationSuccessEvent never fired

Spring Security: How to use a UserDetailsService with JwtAuthenticationProvider?

@EventListener for AuthenticationSuccessEvent or InteractiveAuthenticationSuccessEvent not fired

CookieCsrfTokenRepository allows the client to create its own Csrf Tokens

Authorization Header not getting displayed in CURL springdoc-openapi-ui

Getting 404 error in spring boot even though method is logging statements

Consider defining a bean of type 'org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository' in your configuration

Customizing the TokenEndpoint in spring security OAuth2

Swagger UI being blocked by Spring Security

Spring boot security, always redirects to login page, if navigate through address bar

How does SecurityContextHolder.getContext().getAuthentication() work?

automatically redirect to login page after session timeout - JSP, Spring

Spring security - Disable logout redirect