I have been trying to add user roles in my Spring boot application, but i'm getting error code: 403 forbidden.
This is my securtiy configuration :-
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.httpBasic().disable().exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint())
.and().addFilterBefore(new FirebaseIdTokenFilter(), BasicAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("/test").hasAuthority("ROLES_ADMIN")
}
And i have this key "authorities" in my JWT token.
{"authorities": "ROLES_ADMIN"}
What am i doing wrong?
Related
i am working on a java spring boot server which should work as a ressource server and should connect with google authentication.
spring.security.oauth2.client.registration.google.client-id=#google id
spring.security.oauth2.client.registration.google.client-secret=#google secret
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://accounts.google.com/o/oauth2/auth
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://www.googleapis.com/oauth2/v1/certs
I also created a websecurity:
#Configuration
public class WebSecurity extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests().anyRequest().permitAll()
.and()
.oauth2ResourceServer()
.jwt();
}
I used the dependencies:
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
But it is not working, everytime i got an 401 Unauthorized Response.
As a client i used postman with basic2Auth and i could create a token. What should i do next?
Do i missunderstood anything?
I am writing a Java Spring Boot application that incorporates the Spring Boot Security in my pom.xml. However, It works when I redirect from login to my /home. Though when I change the page again or do a simple ajax call, I get passed a 403 error. I believe it has to do with the security and that page not having the proper access. I am looking for the best way to solve this with still keep my security intake.
Java Security:
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.successHandler(new CustomAuthenticationSuccessHandler()) // On authentication success custom handler
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");
}
Java Success Handler:
#Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
String principal = authentication.getName();
System.out.println("Successful login: principal " + principal);
ADID = principal;
response.sendRedirect("/dashboard");
}
Error in Controller:
Error 403 : http://localhost:8080/edit/ajax/doesSomething
So the /dashboard is the first page I get to if the login is successful, then after that the client inputs some fields and is moved to another page that calls a different URL path. It fails I assume when it calls the other paths that are not /dashboard
Your problem is CSRF token. You can disable it in the security configure but it is better you use it. See this site for more information.
Try this ...
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().permitAll()
.and()
.formLogin()
.successHandler(new CustomAuthenticationSuccessHandler())
.and()
.logout().logoutRequestMatcher(new
AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");
}
or disable CSRF as quick fix.
http.csrf().disable();
Add this in java security. This will permit requests to any endpoint or specified ones:
`
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/**").antMatchers("/example/endpoint");
}
`
And you can also keep your
protected void configure(HttpSecurity http) throws Exception
Spring Security "will provide you with a login form"...https://docs.spring.io/spring-security/site/docs/current/guides/html5/hellomvc-javaconfig.html
So how can I trigger the built-in form on the secured requests?
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("admin").roles("ADMIN", "USER").and()
.withUser("guest").password("guest").roles("USER");
}
#Override
public void configure(HttpSecurity http) throws Exception {
http
.httpBasic().and()
.authorizeRequests()
.antMatchers(HttpMethod.POST,"/test").hasRole("ADMIN")
.antMatchers(HttpMethod.PUT,"/test/**").hasRole("ADMIN")
.antMatchers(HttpMethod.DELETE,"/test/**").hasRole("ADMIN")
.antMatchers(HttpMethod.PATCH,"/test/**").hasRole("ADMIN").and()
.formLogin()
.and()
.csrf().disable();
}
When I make a POST to "/test" without signing in, it is correctly prevented and secured, but I'd like Spring to trigger its login form when the request is made from my front-end. Especially without creation of an html file, or a /login Controller, which seems like this feature makes possible.
I'm trying to use spring security to secure a rest/stateless api using JWT tokens. From the research I've been seeing, it involves turning off the spring security session management and then adding some custom filters to handle the user logging in as well as checking for the jwt token.
The problem I'm having is that once i add a filter, it's run on every instead of just the endpoints I want it on. I need to open up the login endpoint as well as a few others that will facilitate enrollment and reference data that doesn't need to be secured.
#Configuration
#EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/api/user").permitAll()
.anyRequest().authenticated().and()
.addFilterBefore(new StatelessAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
;
}
}
All StatelessAuthenticationFilter does is print "in here". I'm only expecting to see that message print when you go to localhost:8080/api/order, but i see it show up when you go to localhost:8080/api/user.
Is there a way to get this behavior?
The way you configured, the HttpSecurity will be applied to all the URLs including the user endpoint.
authorizeRequests() .antMatchers("/api/user").permitAll() line won't prevent "user" endpoint from authentication filter being called.
It just says that any authenticated user can call it.
You need to apply the filter to "order" endpoint only. Like this:
http .requestMatchers().antMatchers("/api/user") .and() .authorizeRequests().
#tsolakp's answer sorta works for me. I ended up overriding the
configure(Websecurity) method though
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/user");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated().and()
.addFilterBefore(new StatelessAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
;
}
I have a problem with my Spring Boot application in security configuration. I want to apply basic authentication in a URL. My app's default URL is app/v1/items
and my ap'sp secure URL is app/v1/secure/items.
With given configuration basic authentication is not working and I can get items from both URLs. I can not configure the antMatchers.
How can it handle it?
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").permitAll()
.antMatchers("/secure").access("hasRole('USER')")
.anyRequest().authenticated();
http
.httpBasic();
http
.csrf().disable();
}
try this code please.
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/app/v1/items/**").permitAll()
.antMatchers("/app/v1/secure/items/**").hasAuthority("USER")
.anyRequest().authenticated();
http.httpBasic();
http.csrf().disable();
}