Although there is no good tutorial, I have made a usable example with OAuth for you to consider. I have tried all the steps described below.
The repository is here. I have tested the code, and I logged in via OAuth Apps.
To try the application, you need
git clone https://github.com/Hdvlp/SpringBootSecurityFilterChainMigration.git
and other steps in developing a Spring Boot application. (not a complete tutorial here)
To create your OAuth Apps, you need these:
Fill in:
Your client-id and client-secret in application.yml.
Homepage URL:
Authorization callback URL:
http://127.0.0.1:8080/login/oauth2/code/github
After running the Spring Boot application locally, open in the browser:
You may try other paths in the browser to see the effect before and after logging in, e.g.
http://127.0.0.1:8080/member/area
http://127.0.0.1:8080/actuator/health/servicea
As illustrated below, you need to decide what paths are in what order.
This is what I tried: The logic of evaluation is like...
The @Order which is smaller in number wins. The path matching matchedPaths wins.
If you have two @Order annotations with the same matchedPaths, and one @Order contains a smaller value, the latter wins. (The SecurityFilterChain with the larger @Order annotation produces no effect.)
If you have two SecurityFilterChains with @Order annotations with different matchedPaths, both SecurityFilterChains are run.
As far as I tried, matching "/actuator/health/**" left prefix works. Whereas, matching "/**/actuator/health" right suffix does not work (easily). You may need to change your paths accordingly.
@Bean
@Order(500)
SecurityFilterChain securityFilterChainActuator(HttpSecurity http) throws Exception {
String[] matchedPaths = { "/actuator/health/**" };
http
.csrf(AbstractHttpConfigurer::disable)
.securityMatcher(matchedPaths)
.authorizeHttpRequests(
auth ->
auth
.requestMatchers(matchedPaths)
.permitAll()
);
return http.build();
}