@Bean(name = "authFilter")
public Filter authFilter() throws Exception {
    log.info("Creating authFilter...");

    RequestMatcher antReqMatch = new AntPathRequestMatcher(API_LOGIN_URL);

    List<RequestMatcher> reqMatches = new ArrayList<>();
    reqMatches.add(antReqMatch);
    RequestMatcher reqMatch = new AndRequestMatcher(reqMatches);

    UsernamePasswordAuthenticationFilter filter = new UsernamePasswordAuthenticationFilter();
    filter.setPostOnly(true);
    filter.setUsernameParameter(USERNAME);
    filter.setPasswordParameter(PASSWORD);
    filter.setRequiresAuthenticationRequestMatcher(reqMatch);
    filter.setAuthenticationSuccessHandler(apiAuthenticationSuccessHandler);
    filter.setAuthenticationFailureHandler(apiAuthenticationFailureHandler);
    filter.setAuthenticationManager(authenticationManager());

    return filter;
}
 

@Override
protected void configure(HttpSecurity http) throws Exception {
	http.authorizeRequests()
		.antMatchers(HttpMethod.OPTIONS, "/*/**").permitAll()
		.antMatchers("/login", "/rest/open/**").permitAll()
		.antMatchers("/logout", "/rest/**").authenticated();

	// Handlers and entry points
	http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
	http.formLogin().successHandler(authenticationSuccessHandler);
	http.formLogin().failureHandler(authenticationFailureHandler);

	// Logout
	http.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);

	// CORS
	http.addFilterBefore(corsFilter, ChannelProcessingFilter.class);

	// CSRF
	http.csrf().requireCsrfProtectionMatcher(
		new AndRequestMatcher(
			// Apply CSRF protection to all paths that do NOT match the ones below

			// We disable CSRF at login/logout, but only for OPTIONS methods
			new NegatedRequestMatcher(new AntPathRequestMatcher("/login*/**", HttpMethod.OPTIONS.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/logout*/**", HttpMethod.OPTIONS.toString())),

			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.GET.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.HEAD.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.OPTIONS.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest*/**", HttpMethod.TRACE.toString())),
			new NegatedRequestMatcher(new AntPathRequestMatcher("/rest/open*/**"))
		)
	);
	http.addFilterAfter(new CsrfTokenResponseCookieBindingFilter(), CsrfFilter.class); // CSRF tokens handling
}
 

protected AbstractAuthenticationProcessingFilter createCustomFilter() throws Exception {
	//here we define the interfaces which don't need any authorisation
	AuthFilter filter = new AuthFilter(new NegatedRequestMatcher(
	  new AndRequestMatcher(
		 new AntPathRequestMatcher("/login"),
		 new AntPathRequestMatcher("/health")
	  )
	));
	filter.setAuthenticationManager(authenticationManagerBean());
	return filter;
}