多个WebSecurityConfigurerAdapters:spring security中的JWT认证和表单登录

我有带有 thymeleaf 的 spring boot 应用程序.我正在使用 spring security formLogin 方法来保证安全,现在我只需要为一些 API 添加 JWT.

I have spring boot app with thymeleaf. I am using spring security formLogin method for security and now I need to add JWT for only some APIs.

public class SecurityConfigurations {
    UserDetailsServiceImpl userDetails;

    DaoAuthenticationProvider provider() {
        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
        return provider;

    PasswordEncoder encoder() {
        return new BCryptPasswordEncoder();


    public class JWTSecurityConfig extends WebSecurityConfigurerAdapter {

        private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;

        private JwtRequestFilter jwtRequestFilter;

        DaoAuthenticationProvider provider;

        protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();

        protected void configure(HttpSecurity httpSecurity) throws Exception {




            // Add a filter to validate the tokens with every request
            httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);

    public static class FormLoginConfigurationAdapter extends WebSecurityConfigurerAdapter {
        DaoAuthenticationProvider provider;

        protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        protected void configure(HttpSecurity http) throws Exception {
                    .hasAnyRole("ADMIN", "SADMIN", "WADMIN").antMatchers("/rest/**")
                    .hasAnyRole("ADMIN", "SADMIN", "WADMIN", "USER").antMatchers("/user/**").hasAnyRole("USER")
                    .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")



通过执行此操作,JWT 可以正常工作,但 formlogin 已停止并调用/signInProcess".现在给404:

by doing this JWT is working fine as just I need but the formlogin has stopped and calling "/signInProcess" now give 404:

注意:如果我更改顺序并设置 formLogin @order(1) 它会再次工作,但当然不会工作.

NOTE: if I change the order and make formLogin @order(1) it works again but of course will not work.

我也尝试像这样将它们结合起来,现在它们都可以正常工作,但是如果 JWT 身份验证错误将返回 formlogin thymeleaf 错误页面,则会出现异常处理问题:

Also I tried to combine them both like this now it is both works fine but the problem with exception handling if the JWT authentication error will return formlogin thymeleaf error page :

        protected void configure(HttpSecurity http) throws Exception {
                    .hasAnyRole("ADMIN", "SADMIN", "WADMIN").antMatchers("/rest/**")
                    .hasAnyRole("ADMIN", "SADMIN", "WADMIN", "USER").antMatchers("/user/**").hasAnyRole("USER")
                    .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
            http.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);



any suggestions to make this work. thank you.


您的 WebSecurityConfigurerAdapters 将按顺序处理传入的请求.
由于 JWTSecurityConfig 带有 @Order(1) 注释,它会首先处理请求.

Your WebSecurityConfigurerAdapters will process the incoming requests in order.
Since JWTSecurityConfig is annotated with @Order(1) it will process the requests first.

这意味着请求永远不会到达 FormLoginConfigurationAdapter,因为 JWTSecurityConfig 匹配所有这些.

You have not specified a antMatcher for this Adapter, so it will match all requests.
This means that a request will never reach FormLoginConfigurationAdapter, since JWTSecurityConfig matches them all.

如果您希望 JWTSecurityConfig 仅适用于某些请求,您可以在安全配置中指定 antMatcher.

If you want JWTSecurityConfig to only apply to certain requests, you can specify an antMatcher in your security configuration.
Below is an example:

public class SecurityConfigurations {

    public class JWTSecurityConfig extends WebSecurityConfigurerAdapter {

        protected void configure(HttpSecurity http) throws Exception {
              .requestMatchers(matchers -> matchers
                  .antMatchers("/api/**") // apply JWTSecurityConfig to requests matching "/api/**"
              .authorizeRequests(authz -> authz
              .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);

    public class FormLoginConfigurationAdapter extends WebSecurityConfigurerAdapter {

        protected void configure(HttpSecurity http) throws Exception {
              .authorizeRequests(authz -> authz

关于多个WebSecurityConfigurerAdapter的更多细节,可以查看multiple HttpSecurity 部分.

For more details on multiple WebSecurityConfigurerAdapter, you can see the multiple HttpSecurity section in the Spring Security reference docs.

authorizeRequests()requestMatchers() 的更多区别可以看这个 Stack Overflow 问题.

For more details on the difference between authorizeRequests() and requestMatchers(), you can see this Stack Overflow question.
