diff --git a/src/main/java/org/edgegallery/website/config/ClientWebSecurityConfigurer.java b/src/main/java/org/edgegallery/website/config/ClientWebSecurityConfigurer.java
index 270b16a8a078d34355efe71c273f1515ddf5f9a1..bd1446af6aaf3a89a79abf5a666d9b81beaf11e8 100644
--- a/src/main/java/org/edgegallery/website/config/ClientWebSecurityConfigurer.java
+++ b/src/main/java/org/edgegallery/website/config/ClientWebSecurityConfigurer.java
@@ -89,9 +89,9 @@ public class ClientWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
     @Override
     public void configure(final HttpSecurity http) throws Exception {
         http.headers().frameOptions().disable()
-            .addObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>() {
+            .addObjectPostProcessor(new ObjectPostProcessor<AbstractSecurityInterceptor>() {
                 @Override
-                public <O extends FilterSecurityInterceptor> O postProcess(O object) {
+                public <O extends AbstractSecurityInterceptor> O postProcess(O object) {
                     LOGGER.info("postProcess setAlwaysReauthenticate true.");
                     object.setAlwaysReauthenticate(true);
                     return object;
@@ -102,7 +102,8 @@ public class ClientWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
             // this api will be used by health-check service, so permit all roles to get mec host list in v1.2
             .antMatchers(HttpMethod.GET, "/mecm-inventory/inventory/v1/mechosts").permitAll()
             .antMatchers(HttpMethod.GET, "/health").permitAll().antMatchers("/webssh").permitAll()
-            .antMatchers("/wsserver/**").permitAll().anyRequest().authenticated().and().logout()
+            .antMatchers("/wsserver/**").permitAll().anyRequest().authenticated().and()
+            .addFilterBefore(oauth2ClientAuthenticationProcessingFilter(), BasicAuthenticationFilter.class).logout()
             .addLogoutHandler(new LogoutHandler() {
                 @Override
                 public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
@@ -120,6 +121,7 @@ public class ClientWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
     /**
      * oauth2ClientAuthenticationProcessingFilter.
      */
+    @Bean
     public OAuth2ClientAuthenticationProcessingFilter oauth2ClientAuthenticationProcessingFilter() {
         LOGGER.info("oauth2ClientAuthenticationProcessingFilter in.");
         OAuth2ClientAuthenticationProcessingFilter filter = new OAuth2ClientAuthenticationProcessingFilter("/login");
@@ -133,6 +135,8 @@ public class ClientWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
                 OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) authentication.getDetails();
                 Map<String, Object> additionalInformation = jwtTokenStore.readAccessToken(details.getTokenValue())
                     .getAdditionalInformation();
+                //TODO
+                LOGGER.info("ssoSessionId: {}", additionalInformation.get("ssoSessionId").toString());
                 servletContext.setAttribute(additionalInformation.get("ssoSessionId").toString(), session);
                 super.onAuthenticationSuccess(request, response, authentication);
             }