I am trying to set up multiple WebsecurityConfigurerAdapter for my project where the spring boot actuator APIs are secured using basic auth and all other endpoints are authenticated using JWtAuthentication. I am just not able to make it work together, only the config with the lower order works. I am using Spring Boot 2.1.5.RELEASE
Security Config One with JWT Authenticator
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private static final String[] AUTH_WHITELIST = {
protected void configure(HttpSecurity http) throws Exception {
.antMatchers("/abc/**", "/abc/pdf/**").hasAuthority("ABC")
.oauth2ResourceServer().jwt().jwtAuthenticationConverter(new GrantedAuthoritiesExtractor());
The basic Auth config with username/password
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
/* @Bean
public UserDetailsService userDetailsService(final PasswordEncoder encoder) {
final InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
return manager;
@Bean PasswordEncoder encoder(){
return new BCryptPasswordEncoder();
protected void configure(HttpSecurity http) throws Exception {
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
I have been trying to make it work for many days but cannot make both of them work together. If i swap the order, only basic auth works and not the JWT Auth Manager.
I have gone through a lot of SOF Questions, like
Nothing seems to be working, is this a known issue in Spring?
To use multiple WebsecurityConfigurerAdapter
, you need restrict them to specific URL patterns using RequestMatcher
In your case you can set a higher priority for ActuatorSecurityConfig
and limit it only to actuator endpoints:
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
Answered By - Anar Sultanov
Answer Checked By - David Goodson (JavaFixing Volunteer)