Spring Security OAuth2: how to add multiple Security Filter Chain of type ResourceServerConfigurer?

Question

I set up a Spring Boot multi modules (5 modules) app with Spring Security OAuth2. Everything works well but as the application is growing I want to separate the security part in each module. The main module enables everything:

@SpringBootApplication
@EnableResourceServer
@EnableAuthorizationServer
@EnableWebSecurity(debug = true)
public class Application {  
  ...
}

Now in each module I defined a bean of type ResourceServerConfigurer

@Configuration
@Order(2)
public class Module1SecurityFilterChain extends ResourceServerConfigurerAdapter {

   @Override
   public void configure( HttpSecurity http ) throws Exception {
      http.sessionManagement().sessionCreationPolicy( STATELESS );
      http.antMatcher( "/module1/**")
            .authorizeRequests()
            .antMatchers( "/module1/resource").authenticated()
            .antMatchers( "/module1/test" ).authenticated()
            .anyRequest().access( "#oauth2.hasScope('webclient')" );
   }
}

Same thing with module2:

@Configuration
@Order(1)
public class Module2SecurityFilterChain extends ResourceServerConfigurerAdapter {

   @Override
   public void configure( HttpSecurity http ) throws Exception {
      http.sessionManagement().sessionCreationPolicy( STATELESS );
      http.antMatcher( "/module2/**")
            .authorizeRequests()
            .antMatchers( "/module2/resource").authenticated()
            .antMatchers( "/module2/test" ).authenticated()
            .anyRequest().access( "#oauth2.hasScope('webclient')" );
   }
}

And so on...

The problem is that only one FilterChain is registered, the one whith @Order(2). I took a look at the doc of ResourceServerConfigurer and it states this:

... if more than one configures the same preoperty, then the last one wins. The configurers are sorted by Order before being applied

How can I proceed to bypass this limitation? Thanks a lot.

EDIT

Doing this (extending WebSecurityConfigurerAdapter instead of ResourceServerConfigurerAdapter):

@Configuration
@Order(1)
public class Module2SecurityFilterChain extends WebSecurityConfigurerAdapter {...}

seems to register the filter chain but there is another problem, when I authenticate a user (getting token on /oauth/token) I can't acces a resource protected by this chain, I got a 403 Forbidden. How does this black box work?

Answer 1

You can configure multiple matchers using across multiple beans by using requestMatchers().antMatchers(String...) like so:

@Configuration
public class Module2SecurityFilterChain extends ResourceServerConfigurerAdapter {

   @Override
   public void configure(HttpSecurity http) throws Exception {
       http
           .requestMatchers()
               .antMatchers("/module2/**")
           .authorizeRequests()
               .antMatchers("/module2/resource").authenticated()
               .antMatchers("/module2/test").authenticated()
               .anyRequest().access("#oauth2.hasScope('webclient')");
   }
}

It's a little confusing, but when you call http.antMatcher(String), this is stating that you want to match only against that one endpoint. So, calling it twice (once in Module1SecurityFilterChain and then again in Module2SecurityFilterChain), the second call overrides the first.

However, using http.requestMatchers().antMatchers(String) indicates that the given String should be added to the existing list of endpoints being already matched. You can think of antMatcher as a bit like "setMatcher" and antMatchers like "appendMatcher".