带有令牌认证的Spring Security Basic认证

Question

我有一个REST API应用程序，我想为一个端点配置JWT令牌身份验证，并为另一个端点配置BASIC身份验证。

例如：

1）/ admin端点将具有基本身份验证。

2）其他所有内容都将具有JWT令牌身份验证。

我正在使用以下配置来实现这一目标：

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
    private UserDetailsService userDetailsService;
    private BCryptPasswordEncoder bCryptPasswordEncoder;
    private SecurityProperties securityProperties;

    public WebSecurityConfig(UserDetailsService userDetailsService,
                             BCryptPasswordEncoder bCryptPasswordEncoder,
                             SecurityProperties securityProperties) {
        this.userDetailsService = userDetailsService;
        this.bCryptPasswordEncoder = bCryptPasswordEncoder;
        this.securityProperties = securityProperties;
    }

    @Configuration
    @Order(1)
    public class BasicAuthenticationConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .antMatcher("/admin/**")
                    .csrf().disable()
                    .httpBasic().and()
                    .authorizeRequests().anyRequest().hasRole("ADMIN").and()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }

        @Override
        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication().withUser("admin").password("password").roles("ADMIN");
        }
    }

    @Configuration
    @Order(2)
    public class TokenAuthenticationConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.
                    cors().and().csrf().disable()
                    .authorizeRequests()
                    .antMatchers("/no-auth/**").permitAll()
                    .anyRequest().authenticated()
                    .and()
                    .addFilter(new JWTAuthenticationFilter(securityProperties, authenticationManager()))
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }

        @Override
        public void configure(WebSecurity web) throws Exception {
            web.ignoring()
                    .antMatchers("/v2/api-docs**", "/swagger-resources/**", "/swagger-ui.html", "/webjars/**")
                    .antMatchers(HttpMethod.OPTIONS, "/**");
        }

        @Override
        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
        }

        @Bean
        CorsConfigurationSource corsConfigurationSource() {
            CorsConfiguration corsConfiguration = new CorsConfiguration();
            corsConfiguration.applyPermitDefaultValues();
            corsConfiguration.setAllowedOrigins(Collections.singletonList("*"));
            corsConfiguration.setAllowedMethods(Arrays.asList("GET", "POST", "DELETE"));
            corsConfiguration.setMaxAge(3600L);
            final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
            source.registerCorsConfiguration("/**", corsConfiguration);
            return source;
        }
    }
}

当我调用使用基本身份验证的/ admin /端点时，出现以下错误：

o.s.s.c.bcrypt.BCryptPasswordEncoder     : Encoded password does not look like BCrypt

这显然意味着/ admin端点正在使用JWT auth端点筛选器。 我已经指定了具有顺序1和非常具体的antMatcher的基本身份验证过滤器，因此它应该是捕获/ admin端点请求的过滤器。

那为什么不起作用？