Thanks will try it:) On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros <zbynekvav...@gmail.com> wrote:
> In my case it works something like this: > > @Configuration > @EnableWebSecurity > public class SecurityConfiguration { > > @Configuration > @Order(1) > public static class RestSecurityConfig extends > WebSecurityConfigurerAdapter { > > .. user details service, auth providers etc > > @Override > protected void configure(HttpSecurity http) throws Exception { > > http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated() > .and().csrf().disable() > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > .and().httpBasic(); > } > } > > @Configuration > @Order(2) > public static class WicketSecurityConfig extends > WebSecurityConfigurerAdapter { > > .. user details service, auth providers etc > > @Override > protected void configure(AuthenticationManagerBuilder auth) throws > Exception { > auth.authenticationProvider(wicketAuthenticationProvider); > } > > @Override > protected void configure(HttpSecurity http) throws Exception { > http.antMatcher("/page/**").authorizeRequests() > .antMatchers("/page/login**").permitAll() > .antMatchers("/page/**").hasRole("ROLE") > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > .and().csrf().disable(); > } > > @Override > @Bean(name = "authenticationManager") > public AuthenticationManager authenticationManagerBean() throws > Exception { > return super.authenticationManagerBean(); > } > } > } > > The RestSecurityConfigwould be what you would do for actuators, for me > thats the REST API. > Not the order of "antMatcher", "authorizeRequests" and " antMatchers". > > Zbynek > > On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael < > nino.martinez.w...@gmail.com> wrote: > > > do you have an example? OR is it just to cut them into two like: > > WebSecurityConfigurerAdapter A: > > > > > http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > > WebSecurityConfigurerAdapter B: > > http > > .csrf().disable() > > .authorizeRequests().anyRequest().permitAll() > > .and() > > .logout() > > .permitAll(); > > http.headers().frameOptions().disable(); > > > > > > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros <zbynekvav...@gmail.com> > > wrote: > > > > > Hi, > > > > > > I did similar thing, the trick here is to use two > > > WebSecurityConfigurerAdaptes. > > > > > > Zbynek > > > > > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < > > > nino.martinez.w...@gmail.com> wrote: > > > > > > > Hope its okay to use the wicket user mailing list for this:) > > > > > > > > First of all thanks to MarcGiffing for making the project. But I > cannot > > > get > > > > actuator endpoints to work with spring security and wicket spring > > boot.. > > > > I've tried a lot of things.. > > > > > > > > IN my WebSecurityConfigurerAdapter: > > > > > > > > http > > > > > > > > > > > > > > > > > > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > > > > > > http > > > > .csrf().disable() > > > > .authorizeRequests().anyRequest().permitAll() > > > > .and() > > > > .logout() > > > > .permitAll(); > > > > http.headers().frameOptions().disable(); > > > > > > > > But that just disables actuator and messes with the Wicket side of > the > > > > security.. Any one have some clues= > > > > > > > > -- > > > > Best regards / Med venlig hilsen > > > > Nino Martinez > > > > > > > > > > > > > -- > > Best regards / Med venlig hilsen > > Nino Martinez > > > -- Best regards / Med venlig hilsen Nino Martinez