How to add a filter only for one special path WebS

We have a configuration which looks like this:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    public static final String LOGIN_PATH_EXPRESSION = "/login";
    public static final String API_PATH_EXPRESSION = "/api/**/*";
    public static final String GLOBAL_PATH_EXPRESSION = "/**/*";

    @Autowired
    @Qualifier("ssoFilter")
    private Filter ssoFilter;

    @Autowired
    private VerifyingProcessingFilter verifyingProcessingFilter;


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .userDetailsService(username -> new User(username, "", Collections.emptyList()))
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
                .antMatchers(LOGIN_PATH_EXPRESSION)
                .authenticated()
                .and()
                .httpBasic()
                .and()
                .authenticationProvider(new SimpleAuthenticationProvider())
            .authorizeRequests()
                .antMatchers(API_PATH_EXPRESSION).authenticated()
                .and()
                .addFilterBefore(ssoFilter, BasicAuthenticationFilter.class)
                .addFilterAfter(verifyingProcessingFilter, FilteredOAuth2AuthenticationProcessingFilter.class)
            .authorizeRequests()
                .antMatchers(GLOBAL_PATH_EXPRESSION)
                .permitAll()
                .and()
                .csrf()
                .disable();
    }

And recognized that we end inside of the FilteredOAuth2AuthenticationProcessingFilter within a /logincall and asked ourself why this is happening.

The goal is to have the ssoFilter and the verifyingProcessingFilter only applied when hitting an endpoint with the path api/**/*.

Right now we have to add a AntMatching check inside of the filter so it is only applied to the right request but i assume it should be possible to add it only to the matching requests.

Could someone provide an example on how to add a Filter to one specific Ant Matching path request?

Looks like you can't do that with a single Configuration class. Take a look at this question: How to apply spring security filter only on secured endpoints?.

In this case, I think the better solution is to configure multiple HttpSecurity. From Spring IO documentation:

We can configure multiple HttpSecurity instances just as we can have multiple blocks. The key is to extend the WebSecurityConfigurationAdapter multiple times. For example, the following is an example of having a different configuration for URL’s that start with /api/.

The documentation has a full example with the necessary steps to accomplish this:

Configure Authentication as normal

Create an instance of WebSecurityConfigurerAdapter that contains @Order to specify which WebSecurityConfigurerAdapter should be considered first.

The http.antMatcher states that this HttpSecurity will only be applicable to URLs that start with /api/

Create another instance of WebSecurityConfigurerAdapter. If the URL does not start with /api/ this configuration will be used. This configuration is considered after ApiWebSecurityConfigurationAdapter since it has an @Order value after 1 (no @Order defaults to last).

Good luck!