Is there an easy way to configure Authorization (containing a Bearer token) and X-API-TOKEN headers at the same time?

[ch4mpy]

Everything is in the title: how to authorize requests with either an Authorization header (containing a Bearer token) or an X-API-TOKEN header?

[ch4mpy]

This duplicates How to use this plugin with alternative authentication at the same time?: spring-addons auto-configures a resource server Security(Web)FilterChain with lowest precedence. This filter chain is designed to authorize requests with an Authorization header containing a Bearer token.

All that is needed is to expose an additional Security(Web)FilterChain bean to handle X-API-TOKEN. Something like:

@Configuration
public class SecurityConfig {

    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    SecurityFilterChain apiTokenFilterChain(HttpSecurity http) throws Exception {
        // Apply this filter-chain only to requests with an X-API-TOKEN header
        http.securityMatcher((HttpServletRequest request) -> {
            return Optional.ofNullable(request.getHeader("X-API-TOKEN")).isPresent();
        });

        http.exceptionHandling(eh -> eh.authenticationEntryPoint((request, response, authException) -> {
            response.addHeader(HttpHeaders.WWW_AUTHENTICATE, "PrivateToken realm=\"Restricted Content\"");
            response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
        }));

        // FIXME: implement request authorization with your custom header.

        return http.build();
    }
}