PreAuthorize and custom AuthenticationFilter with Spring boot
Spring Security has always been tedious to configure, and the only foolproof ways are:
- either being an expert on it and be prepared to look in the sources and then you can do hard things by hand
- or use as much as possible of what is provided by framework using examples from the documentation whenever possible
For the configuration of an X509AuthenticationFilter
, HttpSecurity
javadoc gives the method x509
with following example (adapted to your config - see javadoc for original one) :
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().anyRequest().permitAll()
// Example x509() configuration
.x509();
}
}
with following indication: method returns the X509Configurer
for further customizations.
Unless you have a good reason to do differently (and if it is the case please say it) I strongly advise you to stick to that method.
But it is really a bad idea to use pre-post annotation on a controller, for what could be done directly in HttpSecurity
configuration. It forced you to use proxyTargetClass = true
.
Pre and post annotation are normally applied to methods of service layer what do not require proxyTargetClass=true
since services are normally wired to controller through interfaces allowing JDK proxying.