A way to extend jmix security configuration

olzhas.jalmukhambeto · August 29, 2023, 1:09pm

Hi,
When setting up security for mappings with the following code:

http.authorizeHttpRequests((customizer) -> {
            customizer.requestMatchers(HttpMethod.GET, "/api/v1/dicts/**").permitAll();
            customizer.requestMatchers(HttpMethod.GET, "/api/v1/centers").permitAll();
            customizer.requestMatchers("/api/v1/registration/**").permitAll();
            customizer.requestMatchers("/api/v1/auth/**").permitAll();
            customizer.requestMatchers("/swagger-ui/**").permitAll();
            customizer.requestMatchers("/v3/api-docs/**").permitAll();
            customizer.anyRequest().authenticated();
        });

During application startup, the exception with message “Can’t configure requestMatchers after anyRequest” is thrown. This is because Jmix provides its own security configuration. Is there an alternative way for me to secure endpoints?

gorbunkov · August 30, 2023, 1:39pm

Hi,

You can find an example of how to provide security configuration for your endpoints in this topic.

olzhas.jalmukhambeto · August 31, 2023, 5:17am

Maxim, thank you for your response.
I’ve read through the topic. The answers there suggest to override FlowuiSecurityConfiguration. I guess, I should have picked “FlowUI project” option when creating a new project. But I have chosen “Fullstack application” template. What should I do in this case?

gorbunkov · August 31, 2023, 11:59am

The link I’ve sent you shows how to create a new SecurityFilterChain bean. It doesn’t override the FlowUiSecurityConfiguration. Just set some high order to make your filter chain be applied before the standard one from Jmix.